Malicious PDF — malware analysis report

Static analysis result for SHA-256 97e0e9904b1528b0…

MALICIOUS

PDF

119.0 KB Created: 2021-03-16 17:57:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 09c1b6d6d13bf872dfeab04b3a84e592 SHA-1: 7276a8febb1a296bf50d5fd2db022c82fe3be316 SHA-256: 97e0e9904b1528b0659d93f969c492675ddc261ce27edb716aa1015e32412ab0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that points to a suspicious domain, likely intended to host a phishing page or download further malware. ClamAV detection and ML classification strongly indicate malicious intent, consistent with a phishing lure disguised as a policy document. No scripts were extracted, but the presence of an external URI and the overall detection profile suggest a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=structural+adjustment+policies+pdf
    • https://cdn.sqhk.co/gejupajo/hMCc7Qd/4x8_cardboard_sheets_for_sale.pdf
    • https://static.s123-cdn-static.com/uploads/4407060/normal_5fd04b227150a.pdf
    • https://static.s123-cdn-static.com/uploads/4460228/normal_5fefdd44cf72f.pdf
    • https://static.s123-cdn-static.com/uploads/4405420/normal_5ffbcb9673cf0.pdf
    • https://cdn-cms.f-static.net/uploads/4374699/normal_5fd384d1a36e7.pdf
    • https://cdn.sqhk.co/vatukaso/GibFhaQ/funny_videos_whatsapp_group_links_south_africa.pdf
    • https://cdn.sqhk.co/begokaxawip/KhcjeED/flash_element_td_2_download.pdf
    • https://cdn.sqhk.co/jezaziritav/ghggFjb/13832485332.pdf
    • https://cdn-cms.f-static.net/uploads/4402740/normal_600ef55b9d97e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/327c191e-6d23-4ed4-9f8e-d3901851df21/how_to_replace_bearing_on_whirlpool_duet_washer.pdf
    • https://s3.amazonaws.com/toliwudalamem/power_pressure_cooker_recipe_for_chicken_wings.pdf
    • https://d1ced4a1-fa29-4c66-b583-77209f32159a.filesusr.com/ugd/c88d8b_b3843753902e45598e41ff1041f4a09b.pdf?index=true
    • https://s3.amazonaws.com/mejigavukolu/calendar_template_2019-_20_school_year.pdf
    • https://uploads.strikinglycdn.com/files/34c5bfa2-1044-45c9-a13a-58ac68c6c71c/92852421842.pdf
    • https://98748e4b-3258-471a-903e-8ea98415cca0.filesusr.com/ugd/fd7405_a33ccb1e9b95414d80416cc4281d0c8d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/94f564c6-1387-423c-82e6-0e2bacab9f21/83945283757.pdf
    • https://s3.amazonaws.com/livivuvuwugeb/biochemistry_dictionary_free.pdf
    • https://uploads.strikinglycdn.com/files/2458e652-f5c1-4b5f-a8af-26640129a0b6/black_male_names_that_start_with_r.pdf
    • https://0fc0baf9-b884-4fcd-968e-f93c0f938930.filesusr.com/ugd/68ec51_2d87eb1a0c3647a3acf85a3c4c505ecc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e54e4dc6-3328-4738-a3e3-b5290963584d/is_logic_pro_x_good.pdf
    • https://s3.amazonaws.com/gozilum/dusuluga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000159fa.bin
96b87efbb44324bf25b4059172781d5c890e3123488642d0dc64ddb9a750900b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x159FA 17648 bytes
font_01_sfnt_off000191e3.bin
ee30d2c7d059cf420b743dfacbb4882b637e5efa83807cd953976cee1b117f73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x191E3 5480 bytes
font_02_sfnt_off0001a474.bin
2de7d1a6f1c35a9fee43e6a034c47031c1031bf7d05ab4106dd282524977f0a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A474 12736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.