Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cc429165cd76b1a…

MALICIOUS

PDF

76.7 KB Created: 2021-04-04 00:53:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0421ce7e8d806a2933eddedc46d51f0a SHA-1: 2ace5a0177698bbe520153f8650fbbb040a935a9 SHA-256: 9cc429165cd76b1a386e4caca0159927af5e8184601ba87643e7b3010fbf99f1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to a suspicious domain, suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, appears to be a lure related to 'sheet music'. No scripts were extracted, but the presence of an external URI and the nature of the detection indicate a likely attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=reflection+mulan+pdf+sheet+music
    • https://sidugavumudoriz.weebly.com/uploads/1/3/4/9/134902227/e67bf805a92214.pdf
    • https://pefanesixalis.weebly.com/uploads/1/3/5/3/135329455/kitodovet.pdf
    • https://cdn.sqhk.co/pelonulu/cFoDhgi/battle_of_berlin_1945_free_full.pdf
    • https://cdn.sqhk.co/zoxowowi/faCQiga/fall_basket_ideas_for_boyfriend.pdf
    • https://bizavewes.weebly.com/uploads/1/3/5/3/135323934/7211750.pdf
    • https://cdn-cms.f-static.net/uploads/4472488/normal_600fea152efe0.pdf
    • http://shoop-fp.ru/68171269511b9s6l.pdf
    • https://cdn.sqhk.co/batumozi/dxeheia/butajixad.pdf
    • https://sekatuxu.weebly.com/uploads/1/3/4/8/134894727/popaxawopu-sikodurowasosug-nidom-kusex.pdf
    • http://idealicaitaly.site/22395847799rdqsf.pdf
    • https://cdn.sqhk.co/jemitaso/jZjjjb8/offroad_outlaws_first_barn_find_2020.pdf
    • https://static.s123-cdn-static.com/uploads/4410989/normal_5fc9619533702.pdf
    • http://bluetea.space/zach_stop_vine_explanationbll56.pdf
    • https://static.s123-cdn-static.com/uploads/4375528/normal_5fff085a81ce5.pdf
    • https://cdn.sqhk.co/desiruzag/5QJjaxY/58746381466.pdf
    • http://christinaanddavid2019.com/100_gb_free_data_internetf28iu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/be6bfb1b-d023-462b-a932-020ebc08fef6/96707768340.pdf
    • https://56a79910-2d97-40e4-a1df-bca3b17021d7.filesusr.com/ugd/2721fc_1260d49c4e4942a9a428c3b1e103f7dc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ef46b5de-4e68-4628-a007-97e10958b97d/how_to_repair_my_treadmill.pdf
    • https://uploads.strikinglycdn.com/files/e2ed9e81-eb43-4041-9589-661b0e808277/bayesian_statistics_course_mit.pdf
    • https://9d76d0c6-5807-43ac-a2ba-7b4112d1a20a.filesusr.com/ugd/5cd33b_7d3810a10b6a41d1a09ebdb6eafbc40d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/75de007b-7900-4c09-b800-70370b9347b6/cantrac_navy_training_courses.pdf
    • https://uploads.strikinglycdn.com/files/2cb28744-8b95-4307-91c4-c304b7231c19/87644566882.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea15.bin
c4e864b7159a6be4f2d7d8fad714c333d81b00e7a4173eff02675cd1f1d88ec8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA15 5304 bytes
font_01_sfnt_off0000fc02.bin
a88f3d5912e0d64b1cec36f00519eeb82f2d6eb56d667fb02f8d399362420c02		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC02 11580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.