Malicious PDF — malware analysis report

Static analysis result for SHA-256 946e6c1101614a71…

MALICIOUS

PDF

82.4 KB Created: 2021-02-16 11:27:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80ed3c5c763d70f5f57756211e286269 SHA-1: 5175c4918ddf92573be87afea0bf804400b69f58 SHA-256: 946e6c1101614a711ca045fd8022183de32e62c7c38890d4f20edf86c74c3e55
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, and numerous other malicious URLs were extracted. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware delivery. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to redirect the user to a malicious site, potentially exploiting PDF vulnerabilities or using JavaScript for redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/wix?keyword=algebra+factoring+review+maze+answers
    • http://findattime.com/duladarejagudedakirixefen5td.pdf
    • http://erethiztzj.space/8348122245zvs4g.pdf
    • http://vinograd.io/ketufoxoxinqt0q.pdf
    • http://reduslimitaly.website/javofagimerimazevagieukw9.pdf
    • http://mandarins.space/36154864502w8lix.pdf
    • http://womans30planet.com/44566881635l7rq6.pdf
    • https://fomimixa.weebly.com/uploads/1/3/4/7/134775862/rewadutug.pdf
    • https://static.s123-cdn-static.com/uploads/4393635/normal_5fef01bebc47f.pdf
    • https://ritosigom.weebly.com/uploads/1/3/1/4/131453630/busupejumululodijoj.pdf
    • https://vuxabodunufa.weebly.com/uploads/1/3/1/4/131407539/dudojogefanajup_kugagito.pdf
    • http://swiss-gear.store/cage_the_elephant_album_download_ziplgg8p.pdf
    • http://easy-money-cash.space/binomial_probability_worksheet_ii_answerslqznw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sulasatevirexo/ecfmg_status_report.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed0e.bin
3f6a639e9f3bca9ca06858beea6ae770645a63fbf268272a5a48b3088ec49bfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED0E 5532 bytes
font_01_sfnt_off0000fff0.bin
8249389f3bbd4563b143f7b035e096d1a9530a7c228cf6168552868832186b62		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFF0 11512 bytes
font_02_sfnt_off000126fb.bin
51c0df4927b6c625bff8d4722c3e725325acd3c375c895a134a01e6919b1bf36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126FB 16156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.