Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a19652bfa8ee1cf…

MALICIOUS

PDF

93.6 KB Created: 2021-03-25 08:57:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0c29f3816dd496215e4c2d1ed0cc5919 SHA-1: 9d69ea291c1a6b9af81a5a34a44de58d5e96a0d4 SHA-256: 9a19652bfa8ee1cf8b935d0ad9611ec29757bb199e4c4df55af8b205d6640e4a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. The embedded URL points to a site offering movie downloads, a common lure for phishing or malware delivery. Although no scripts were directly extracted, the PDF structure and the presence of external URIs suggest an attempt to redirect the user to a malicious resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=the+predator+%25282018%2529+tamil+dubbed+movie+watch+online+free+download+dvdrip
    • https://cdn.sqhk.co/mevazasid/fgeeeSI/my_singing_monsters_wiki_breeding.pdf
    • https://static.s123-cdn-static.com/uploads/4378855/normal_60057475312f8.pdf
    • https://cdn-cms.f-static.net/uploads/4446147/normal_603c044b1ac10.pdf
    • https://cdn.sqhk.co/wenejusuzixe/idqDngj/50089830921.pdf
    • https://cdn.sqhk.co/zixapegof/didficc/php_code_beautifier.pdf
    • https://cdn-cms.f-static.net/uploads/4365567/normal_603a6c78b0a1c.pdf
    • https://cdn.sqhk.co/loganidob/egeWjcu/5._2_verifying_trig_identities_worksheet.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c67219d7-d7d9-44af-a57b-823a42a45919/noxitikudibirus.pdf
    • http://tisavan.onlinewebshop.net/periodicity_of_trigonometric_functions.pdf
    • https://c5e26362-acc3-4c40-9db4-ce0cbd355080.filesusr.com/ugd/681527_c14cb325865f4868ba6f2ab6ce65cb89.pdf?index=true
    • http://segimoto.myartsonline.com/jewifixexetudapidego.pdf
    • https://uploads.strikinglycdn.com/files/97453116-7f65-4e7a-9272-04890f97be5b/49877583007.pdf
    • https://17673d3b-e5d0-4e0e-8211-f079fadf35f5.filesusr.com/ugd/13ae68_237d1dad41694b0eb16b2967004ede98.pdf?index=true
    • http://segimoto.myartsonline.com/scientific_journal_article_critique_example.pdf
    • https://uploads.strikinglycdn.com/files/1e7054a8-cbaa-4035-a310-78a365de0783/lezawuforebadumekot.pdf
    • https://s3.amazonaws.com/fazujo/lan_cable_color_code_cat6.pdf
    • https://53f03ce6-db0b-4f41-9bfc-6956ba41e1f4.filesusr.com/ugd/727e0f_a27c516c27924b8aab1fcd1126faa22b.pdf?index=true
    • http://nukivamo.myartsonline.com/what_books_are_missing_from_the_bible.pdf
    • https://s3.amazonaws.com/votuweroxigezog/derudawixazunepinalakibu.pdf
    • https://s3.amazonaws.com/wowonesoribu/49866447708.pdf
    • https://uploads.strikinglycdn.com/files/970fba36-0efc-4358-a1a0-4a4c6f7aaa60/simple_ajax_post_jquery.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012e15.bin
31a4c7c49d634e87d3d634cf330654a2f83a89733d4c35ad3d8adaa5fa54777a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E15 6132 bytes
font_01_sfnt_off000142f2.bin
15f746eb09a983165b525620516296c022f2e8ed5eba7a3976ba363352e53070		 pdf-font-stream PDF embedded font (sfnt) at offset 0x142F2 10772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.