Malicious PDF — malware analysis report

Static analysis result for SHA-256 998a32f9df16d2dd…

MALICIOUS

PDF

79.8 KB Created: 2021-03-08 23:10:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cd5caeedc20067a94bce65edf0cbf22b SHA-1: 6ffb13bf5ace75b7997e110c538edf245b441191 SHA-256: 998a32f9df16d2ddfaebbb41e9b856448f6ea96a4710cf417d9f7e8c0b6fe605
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV, indicating malicious content. The 'SE_CLICKFIX' heuristic suggests the document is designed to trick users into running commands, likely to download and execute a secondary payload from one of the embedded URLs. The document body, though truncated, contains metadata related to PDF creation, and the presence of embedded URLs points towards a phishing or trojan delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/aws?utm_term=how+to+take+screenshot+on+a+lg+phone
    • https://cdn-cms.f-static.net/uploads/4410694/normal_5fda1d6e5d5c9.pdf
    • https://cdn.sqhk.co/vasibejovej/fsQBKuK/free_ringtones_for_samsung_galaxy_s9.pdf
    • https://romuxejis.weebly.com/uploads/1/3/4/8/134887308/6832e81183919.pdf
    • https://cdn-cms.f-static.net/uploads/4384150/normal_601f2a3586c34.pdf
    • https://mofuxobilewita.weebly.com/uploads/1/3/5/4/135400762/dasetava.pdf
    • https://cdn.sqhk.co/koxopumo/haDijX9/playroom_ideas_for_toddler_boy.pdf
    • http://relaguguwo.22web.org/65682370925.pdf
    • http://lifeit.pro/66950078449f1mft.pdf
    • http://tusukezilineji.66ghz.com/40441282403.pdf
    • https://static.s123-cdn-static.com/uploads/4420031/normal_5feb3f80919d1.pdf
    • https://cdn.sqhk.co/zetoreli/jc8hc2O/neha_kakkar_song_ringtone_download_2018.pdf
    • https://cdn.sqhk.co/bovokolel/Xjbjajg/hair_salon_names_around_the_world.pdf
    • http://italywow.pro/2588998652yagvo.pdf
    • http://espaceclient-cmb.com/mens_health_weight_bench_with_preacherlrmr3.pdf
    • https://cdn-cms.f-static.net/uploads/4446401/normal_60462d9d7929b.pdf
    • http://pusedoropeseb.66ghz.com/android_tv_review_2019.pdf
    • http://buybritishcat.com/girl_with_curious_hair_summary6rixr.pdf
    • https://kejobogufepemis.weebly.com/uploads/1/3/0/7/130775396/5466228.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7b0e00f9-a28e-4139-b41b-8cf31feb867c/11988005154.pdf
    • http://pegawatovejugav.epizy.com/firefox_ad_blocker_failed.pdf
    • https://uploads.strikinglycdn.com/files/0304957d-38f0-46d0-b32a-27fe121ef797/dungeons_and_dragons_5th_edition_character_sheet_microsoft_word.pdf
    • https://uploads.strikinglycdn.com/files/e59eab78-0351-472a-a1f1-99320b26b075/mabexi.pdf
    • http://fozajabuwipebo.epizy.com/62816095427.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa2b.bin
d5c5ad89ab91af33aede2df1563eda4c8ef92fe60493d1e1aa4071f703fbd9ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA2B 5312 bytes
font_01_sfnt_off00010c52.bin
4b2824da3b4ac6f504dafed116e660e9e1a67fd1f2beede69716c64cc95bdfc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C52 10976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.