Malicious PDF — malware analysis report

Static analysis result for SHA-256 92897df0a2660b38…

MALICIOUS

PDF

148.6 KB Created: 2021-03-31 14:25:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8d73f431c1c3e92f4fbaf5b718f95a9a SHA-1: 9153dab2d90c5633d165ac86bb4dbb9a31db80e1 SHA-256: 92897df0a2660b3810eef71703df8f76cc414cb04128aca72d8a60ef7f8b5171
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing or malware distribution. ClamAV detection and ML classification strongly indicate malicious intent. The document body, though heavily obfuscated, contains keywords related to the URL, suggesting a lure to a fake information page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9749

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=ps+vita+release+date
    • https://cdn.sqhk.co/gopuxipo/ii2UFSo/cooking_fever_game_app_download.pdf
    • http://freud.icu/82909773778ijzj3.pdf
    • https://cdn.sqhk.co/wimiwupo/hjahaeh/daninowugimezo.pdf
    • http://antonioit.space/interview_questions_for_managersglshq.pdf
    • https://cdn.sqhk.co/nexoratuxi/gTZgiIZ/ncis_la_tonight.pdf
    • https://cdn.sqhk.co/duzupafuj/hhjdhaY/mewebatiwipemelemuko.pdf
    • https://cdn.sqhk.co/fixikumeboga/U9jeRge/96906791179.pdf
    • http://requiredjokblog.com/beats_solo_3_wireless_gold_and_white71c18.pdf
    • https://cdn.sqhk.co/sepagumal/imv7Sax/learning_english_beginners_online_free_course.pdf
    • https://cdn.sqhk.co/sodelaranu/Mqjj6y8/27144703694.pdf
    • https://cdn.sqhk.co/boxokozofe/jghggEk/60601201963.pdf
    • http://bio-ita.fun/3540986627f6w32.pdf
    • http://lnstagramsupportingcenter.com/sri_rudram_laghunyasam_meaningkpzn6.pdf
    • https://cdn.sqhk.co/temetixufuxi/8Xjijhr/fast_food_food_open_near_me_on_christmas.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/d2014d42-4356-4cab-843e-4707da8d28ee/6399351568.pdf
    • https://87164119-88a6-4d6d-a72f-b109cf2d88b9.filesusr.com/ugd/bd0a66_945f913e040a4187822b7a0251c98405.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d46ad6fd-3740-4389-b6fc-e9d85e1e05ab/samsung_tv_service_mode_key_input.pdf
    • https://uploads.strikinglycdn.com/files/8ad6294e-1223-47be-974f-024772b88483/95072358504.pdf
    • https://uploads.strikinglycdn.com/files/288ebd08-e691-4110-96a4-992ac86a0551/69021230563.pdf
    • https://uploads.strikinglycdn.com/files/12d028ed-51ff-4abb-812b-30f2def4acbd/competency_based_interview_questions_and_answers_united_nations.pdf
    • https://uploads.strikinglycdn.com/files/84081dcb-6faf-495a-89c1-9dbb260b39b1/best_money_management_books_reddit.pdf
    • https://uploads.strikinglycdn.com/files/ac58c09d-f108-4840-9f40-c3d5271ad862/man_on_the_street_interviews_funny.pdf
    • https://0d555108-1732-4721-8d72-76d747b2053a.filesusr.com/ugd/1b0481_f05d8ab3eee94efdb470046c46b45b9d.pdf?index=true
    • https://35548484-ce42-4b18-9d9d-834326683263.filesusr.com/ugd/a221b6_003dd012700840b7880c08ee627b7596.pdf?index=true
    • https://f0198b83-f3fe-41b4-8315-bacd7eabb238.filesusr.com/ugd/2b3f46_0ac70a44c34447099634d74bb08f130b.pdf?index=true
    • https://0793e221-2e7e-4176-aae8-4ff4b75d8f7a.filesusr.com/ugd/64bd79_44a06e7290df4701b200f216962cadb5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001adcb.bin
b527b02db2d0ce6ef8a3945b8e747f90bfa7720c63c85d9462ff51c81f220c29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1ADCB 23964 bytes
font_01_sfnt_off0001fa0a.bin
30de18ab99a2db5d92ec7846ba7b0e5c5a522d18ca9a99ab9acb4f79dc84e75e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FA0A 4452 bytes
font_02_sfnt_off00020930.bin
517c03b1c68a71e1513d7df33b16a5fb1093784367d4a7dadb2270dd98ce7f05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20930 13620 bytes
font_03_sfnt_off000235c0.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x235C0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.