Malicious PDF — malware analysis report

Static analysis result for SHA-256 94ddb2482e335874…

MALICIOUS

PDF

161.8 KB Created: 2021-03-17 02:20:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5beaa94ddf22f86308bc453539697c1f SHA-1: 70ea058a0fcb9e62e87887caebaeeae82030d086 SHA-256: 94ddb2482e335874b099f0f00ff26064398f0576a63e40a8ac56e78c2159a823
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The file is identified as malicious by ML classifiers and ClamAV, with a heuristic indicating a fake invoice lure. The embedded URL, https://leonvi.ru/wix?keyword=fallout+wanderers+edition+book+2, is likely the primary payload delivery mechanism. While no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest it's designed to exploit vulnerabilities or trick the user into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=fallout+wanderers+edition+book+2
    • https://cdn.sqhk.co/popenewosaso/BqEjggj/screaming_goat_meme_sound_button.pdf
    • http://instas.site/657093957065dbug.pdf
    • https://cdn-cms.f-static.net/uploads/4379723/normal_5fdc396da1e69.pdf
    • https://cdn-cms.f-static.net/uploads/4485578/normal_60479f0dafe9c.pdf
    • https://cdn.sqhk.co/xubipoxeguza/aADhjtp/bandpass_filter_matlab_2012.pdf
    • http://verifiedbadge-lnstagram.com/presupuesto_de_capital_definicion_y_caracteristicasmf3jz.pdf
    • http://lanasobewusek.22web.org/dupegumalevizotofiseroliw.pdf
    • https://cdn.sqhk.co/besimiwi/dihjfid/6131958482.pdf
    • http://robertferrell.net/96113769740ywsgs.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nogobixa.epizy.com/payment_receipt_lic.pdf
    • https://e8dc5420-792a-4861-90db-09cfc8d8a7d1.filesusr.com/ugd/1378f5_4e657b699c2049d996b9793e3495367e.pdf?index=true
    • https://a21f0d7d-5fe0-4a99-a381-3b18266e0880.filesusr.com/ugd/6c313a_20e4b38f77334b70b8a253e01e1b9018.pdf?index=true
    • https://52a1af19-6946-4c37-aba6-ab00a30e4874.filesusr.com/ugd/5dc3ca_1206ba89d6da4d04a2b331fe553b490b.pdf?index=true
    • https://8e12fe21-47c1-448c-af9e-883e7c84523b.filesusr.com/ugd/52ac5e_e1b3e00004b24948a85a420e7542ea3f.pdf?index=true
    • https://f803bf1b-e1c2-47f6-a41f-c9785c88fbd4.filesusr.com/ugd/bf07b1_1ece893c6bff4cb28239320c24bd9f64.pdf?index=true
    • http://vopepogam.rf.gd/70889614640.pdf
    • http://xuwuxubemepimox.rf.gd/57313847031.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023e19.bin
568f2a62330a48e5950233ec8d5d8eed54a758c2032f429305621390dab1dc6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23E19 5200 bytes
font_01_sfnt_off00024fec.bin
55330d621f0b00045270945270afcbfa0aea7312453a17ad46ed50ac6d65d110		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24FEC 11632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.