Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f6f345905a66161…

MALICIOUS

PDF

70.2 KB Created: 2021-03-22 17:14:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d03111436cfbf318dd36d752a64acc0f SHA-1: a54b3cd9ad65639af1e3e74a058fad308a615b7c SHA-256: 8f6f345905a66161dafe3b717b0ea94804e6c68a855cb3257db43b916655b6ec
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains embedded URLs that point to suspicious domains, suggesting it is used to redirect users to phishing or malware download sites. The presence of external URIs and embedded URLs strongly suggests a phishing or malware distribution attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=la+lupita+el+monte
    • http://leadtop.co/cloudy_urine_pregnancyuw6q9.pdf
    • http://gapijet.scienceontheweb.net/arable_crop_production_in_nigeria.pdf
    • http://vitonidero.medianewsonline.com/actividad_economica_y_los_agentes_economicos.pdf
    • https://nekitunanozot.weebly.com/uploads/1/3/5/3/135346928/vojelezipibo.pdf
    • https://lupenasax.weebly.com/uploads/1/3/4/7/134738003/677146.pdf
    • http://ninomut.sportsontheweb.net/tomamuxexuxajomexizefeko.pdf
    • http://netewe5.xyz/linear_absorption_coefficient_equation791f5.pdf
    • http://alania365.ru/lejawikujojifuzojawiscebw.pdf
    • http://smartline58.ru/danby_portable_air_conditioner_12000_btu_costcorz1ak.pdf
    • http://tewosube.mypressonline.com/purine_and_pyrimidine_biosynthesis.pdf
    • http://e-devletodeme.net/areas_del_departamento_de_alimentos_y_bebidas_de_un_hoteloeekr.pdf
    • http://ttop-shop.com/587114333373f5rq.pdf
    • https://bezumovepefare.weebly.com/uploads/1/3/5/3/135337037/5243590.pdf
    • http://getbuiss.online/cartoon_wars_part_2_scriptbjba8.pdf
    • https://fogufufizanalu.weebly.com/uploads/1/3/0/8/130813948/kewaserenaso_zalemapadek_xedaki.pdf
    • http://vkrowl.com/rakerilofupebalugewenopik1aa.pdf
    • http://taforojujutusig.mygamesonline.org/sogakibolapemofijebupi.pdf
    • https://pilidikuvitas.weebly.com/uploads/1/3/4/7/134766888/7ff47a43.pdf
    • https://zokutiwako.weebly.com/uploads/1/3/0/8/130873782/fukabivar.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6b43078b-2559-4bd0-b9db-dd5378e65ba1/60786668522.pdf
    • https://uploads.strikinglycdn.com/files/12eb83a5-26ea-4f08-bdd9-6b5039f18bed/tejaxogawigot.pdf
    • https://uploads.strikinglycdn.com/files/40a4f78d-4cfa-465f-99bd-088991b7100a/fifty_shades_of_grey_full_movie_download_hindi_dubbed_300mb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d48a.bin
c9fc03fa3b114f52ceccdac530c8cb509f9b972c174d35426337b1ea5bb9adff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD48A 4632 bytes
font_01_sfnt_off0000e43f.bin
c410ccdfbff12c8387806b3476b5a9637eddf57f79c840fa76cc3a4d9b2c4501		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE43F 11988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.