Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ca7df2d93ee5a62…

MALICIOUS

PDF

79.5 KB Created: 2021-04-07 06:17:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d6e480e475a7190b5ae16e63d6a8ec70 SHA-1: d12dfef2f90e5d7681e46f6503cbb9243e84c4d1 SHA-256: 9ca7df2d93ee5a62ed70584d95d1288826ac8ea98ffa56f622f8c5b6ddc16fbd
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics and a machine learning classifier as malicious. It contains an embedded URI pointing to a suspicious domain, and the 'SE_MFA_LURE' heuristic indicates it's designed to trick users into providing sensitive information, likely through a phishing attempt. The presence of embedded URLs and the nature of the lure suggest it's part of a credential harvesting campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=bases+of+market+segmentation+pdf
    • http://wgathering.org/wenowisuv5ii4.pdf
    • http://axecheat5.xyz/american_english_file_1_descargar_gratisjalel.pdf
    • http://copyright-supporthelp.com/5923824901463ote.pdf
    • https://static.s123-cdn-static.com/uploads/4413718/normal_5fe2cba32cc03.pdf
    • https://static.s123-cdn-static.com/uploads/4414336/normal_5fee70a9ab252.pdf
    • https://cdn-cms.f-static.net/uploads/4460471/normal_60310966ceb8d.pdf
    • https://cdn.sqhk.co/jogepirar/ibgfGhj/boxaramixojadumo.pdf
    • https://cdn-cms.f-static.net/uploads/4373016/normal_5fd3cc0f6db70.pdf
    • https://cdn.sqhk.co/gemadaruvow/Duiaijo/77623051224.pdf
    • https://static.s123-cdn-static.com/uploads/4421471/normal_5fc7c6e046bcc.pdf
    • https://cdn-cms.f-static.net/uploads/4378845/normal_6022d7f9ed39f.pdf
    • https://cdn.sqhk.co/guwuweri/Pv9gdgc/33178784989.pdf
    • http://goldotzyv.ru/14869193282e4t62.pdf
    • http://nosinoski.shop/sofewumezagadelipijugs08g.pdf
    • https://cdn-cms.f-static.net/uploads/4385010/normal_60417ef1948a6.pdf
    • https://cdn.sqhk.co/wuxidubez/dijixji/decode_duo_codenames_duet_online_locally.pdf
    • https://cdn-cms.f-static.net/uploads/4447089/normal_6044608f775ad.pdf
    • http://promoocaoameericanas.com/43730424251buhne.pdf
    • http://podarokinsta.online/61764912600dp71t.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sefukirexuwekij/90550430356.pdf
    • https://s3.amazonaws.com/vuterijoze/bobotufazodikagip.pdf
    • https://s3.amazonaws.com/tigewibejageju/git_commands_tutorial.pdf
    • https://s3.amazonaws.com/memexelu/starcraft_remastered_gameplay_free_to_play.pdf
    • https://s3.amazonaws.com/jojitagifuva/83769718697.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa5f.bin
9e1a46f8ce7edc9e6293bb1675b7f10cc028e29bd11dab9460c84da112fd591e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA5F 5440 bytes
font_01_sfnt_off00010cd6.bin
790f855d3c7e1f2fced26550f5b4288c7ff7b9648100c0ff36d5e2a57f06c338		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CD6 10480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.