Malicious PDF — malware analysis report

Static analysis result for SHA-256 905f935042d8fe96…

MALICIOUS

PDF

79.8 KB Created: 2021-04-08 08:58:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 86d67a21a468265536b3642cde1b9e73 SHA-1: c1f3986a827f3d5613c2091eddf8915c78b3c173 SHA-256: 905f935042d8fe96ed64a979c87354e2b37d51976ec64253565496c9eeb707ac
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ML classifiers and ClamAV as malicious, specifically identified as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to deliver a malicious payload or lead to a phishing page. The document body, though heavily obfuscated, suggests a lure related to job searches or financial institutions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=nc+state+employees+credit+union+near+me
    • https://cdn.sqhk.co/disumuneriva/RZifyjg/90_s_rock_music_greatest_hits.pdf
    • http://lg-supportteam.com/indeed_job_search_app_for_androidtp0bn.pdf
    • https://cdn.sqhk.co/xewazezikufi/hifKihH/31113892417.pdf
    • https://cdn-cms.f-static.net/uploads/4377407/normal_6041819c4696e.pdf
    • http://wordsideget.top/288770696589t18g.pdf
    • https://cdn-cms.f-static.net/uploads/4410952/normal_6027919e73d32.pdf
    • http://samozanyat.info/stock_requirement_list_in_sapo0cms.pdf
    • http://pixelbarista.com/hypertension_canada_guidelinesti0p2.pdf
    • https://static.s123-cdn-static.com/uploads/4478683/normal_5fe390f499e12.pdf
    • https://cdn.sqhk.co/lupobikud/igciggh/cut_it_out_idiom_in_a_sentence.pdf
    • http://idealicait.website/zozaxadadurobumafupabobwxlk5.pdf
    • https://cdn.sqhk.co/bopibege/dhgy0gg/kizawotibagadijomepuz.pdf
    • http://prizinsta365.site/194389559180ffjb.pdf
    • https://static.s123-cdn-static.com/uploads/4411252/normal_5fdd31529a0cb.pdf
    • http://profoto22.ru/us_attorneys_office_dc_internshipyn8wb.pdf
    • http://naturagrush.space/nidenovakabikizizosadove98up.pdf
    • https://cdn.sqhk.co/lojosewude/APhe4du/92613009798.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb00.bin
720f0545daf5c2d01062ef30e102ae05bdd599e57b45fa64689c1cf73ee00e44		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB00 5288 bytes
font_01_sfnt_off00010cf5.bin
1c5cf03196bdeba30ce4c954985c04eaafabf8a117f344eb3228fa12756d47d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CF5 10944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.