Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d0106ae64b2844e…

MALICIOUS

PDF

87.1 KB Created: 2021-03-15 10:27:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6e4e35567da36cd5e226fddd8881a261 SHA-1: d08cfbba076b2b28f049fe2dffee1be5d399bf9e SHA-256: 9d0106ae64b2844e1a343763c92413e1701a0ceb06c3ccfb1ea6667d1a100ede
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document body contains text that appears to be a search query for 'Corcoran high school address', likely intended to trick the user into clicking a malicious link. The embedded URI 'https://mezovuduw.ru/wix?keyword=corcoran+high+school+address' directly supports this phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=corcoran+high+school+address
    • http://deflecfcvy.best/how_do_i_adjust_my_bushnell_tour_v3scu0g.pdf
    • https://cdn-cms.f-static.net/uploads/4377414/normal_601f12d2eb4af.pdf
    • https://cdn-cms.f-static.net/uploads/4475741/normal_6020540e77aff.pdf
    • http://vovality.club/free_sheet_music_for_handbellsoo4xx.pdf
    • http://trening-ekaterinodar.ru/92704141055u5wqv.pdf
    • http://lnstagramsupportingcenter.com/56920944047361vx.pdf
    • http://comp-arenda.site/boyhood_movies_spdftp.pdf
    • http://aycotoro6.xyz/6953083236753zw2.pdf
    • http://trenolgia.buzz/rajadexarezunaga5hll8.pdf
    • https://cdn-cms.f-static.net/uploads/4463298/normal_602dfb4913541.pdf
    • http://wekeb.space/the_city_and_the_city_chapter_summarymebij.pdf
    • https://cdn-cms.f-static.net/uploads/4501980/normal_602dd77174684.pdf
    • http://help-violation.com/6753404641t08tl.pdf
    • https://cdn-cms.f-static.net/uploads/4419430/normal_60212e1b13849.pdf
    • https://cdn-cms.f-static.net/uploads/4458421/normal_601d1b26d8f1e.pdf
    • http://test123test.xyz/34024483730xvkmk.pdf
    • https://cdn-cms.f-static.net/uploads/4454435/normal_602fe3c5f124f.pdf
    • http://milanomoda.site/spectrum_math_grade_2_workbookvq1b1.pdf
    • http://ledimpress.biz/bezesawidupowelawolugemd28ot.pdf
    • https://cdn-cms.f-static.net/uploads/4419002/normal_60461c3b55ae6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4df337ec-d14c-4785-8370-dad16cd50187/fezikiredofidi.pdf
    • https://uploads.strikinglycdn.com/files/34bed2b0-43fa-46fc-8934-b17d4e4c7689/midea_pressure_cooker_my-12ls605a.pdf
    • https://uploads.strikinglycdn.com/files/7d7c603a-cf48-40dd-aae1-9995aa2e9bf8/how_old_is_my_lg_tromm_washer.pdf
    • https://uploads.strikinglycdn.com/files/988f1a68-8577-4b6f-b509-31d0054f3e99/jarogitavebagakukirot.pdf
    • https://uploads.strikinglycdn.com/files/4b1cdcad-725f-4064-b56c-fbc0fc7c03d6/99930913110.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011706.bin
a0983bced3f8bfe9ed92a2a4eeac06e5f880f5a3ccf394d4570d69e9e1529ddc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11706 5104 bytes
font_01_sfnt_off00012855.bin
f0d996fae5baf6eef1604a5dbb7024515a22999bdd96d529fda28605c4fe3619		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12855 11388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.