Malicious PDF — malware analysis report

Static analysis result for SHA-256 975c459e8c3326ee…

MALICIOUS

PDF

95.1 KB Created: 2021-03-19 19:49:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9d0933625b77fa15cbfe6d9bcb0ba0b5 SHA-1: 449d1a0c8400e88c5146a2b0e25135e2c5c4b0cc SHA-256: 975c459e8c3326ee623295c587ecd9a6b623b85a5f7df223272d7b9c6156f60e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to a suspicious domain, suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, appears to be related to a 'mathematical analysis apostol solutions manual', likely a lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=mathematical+analysis+apostol+solutions+manual
    • http://naliputa.mywebcommunity.org/brave_new_world_revisited_aldous_huxley.pdf
    • https://cdn.sqhk.co/xutazazo/ajiMjjX/vugegivuligabilizoduzulob.pdf
    • http://finomimetafix.sportsontheweb.net/remington_16_inch_electric_chainsaw_manual.pdf
    • https://cdn.sqhk.co/getabemuto/LTibhel/god_simulator_2_codes_wiki.pdf
    • http://pidijajuwupurop.medianewsonline.com/nufuvovojajatuwexetegome.pdf
    • http://zugemenelil.medianewsonline.com/bafirota.pdf
    • http://beririka.scienceontheweb.net/pijekatelonoturelusobunin.pdf
    • https://cdn.sqhk.co/nugopanage/mjjNvHG/26610633528.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://widusop.atwebpages.com/35775604559.pdf
    • https://s3.amazonaws.com/jeromisixinolib/kirolegisozuxodag.pdf
    • https://s3.amazonaws.com/fupanabivote/dujesafijud.pdf
    • http://mukanebesiva.atwebpages.com/13001192774.pdf
    • https://s3.amazonaws.com/pasawe/android_phones_in_india_2019.pdf
    • https://s3.amazonaws.com/gedexim/pefarorifemi.pdf
    • http://tudixuzaw.onlinewebshop.net/all_guitar_chords_diagram.pdf
    • https://s3.amazonaws.com/jivagajamav/what_is_the_mouse_trap_about.pdf
    • http://salajire.onlinewebshop.net/josuvekizaxonitamivi.pdf
    • http://dugerem.atwebpages.com/best_way_to_learn_english_grammar.pdf
    • https://s3.amazonaws.com/wutezigojuxi/55639030229.pdf
    • http://wudemexa.myartsonline.com/zofasidofopo.pdf
    • https://s3.amazonaws.com/mufukep/56529412218.pdf
    • http://rupesujutiwu.myartsonline.com/bangor_university_map.pdf
    • http://patudesaruvob.atwebpages.com/how_tall_is_asuna_from_sword_art_online.pdf
    • https://s3.amazonaws.com/biwuwukesazef/jeradipebelivanokujev.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010ffa.bin
221fe5c23e44db446077b4229d7ef36d1612d5777dba7c0facda9f3ccd75d0f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FFA 5184 bytes
font_01_sfnt_off0001218c.bin
c068e2afa81068a523b59b437290c3d3da98d528db6d5f7bc44d6b28889b443e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1218C 3128 bytes
font_02_sfnt_off00012e7a.bin
13e41d604406fca64a8b9677a20d037a8eaa7157bbb425d231bc9dddc48773ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E7A 11936 bytes
font_03_sfnt_off00015743.bin
ea1cd29fce2d186ac19d53e1ba9cdfd4afefb9ef6bedcb4245aa1c53dc49a3de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15743 16520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.