Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e613eaaffc8627d…

MALICIOUS

PDF

79.2 KB Created: 2021-03-18 13:33:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e807be702ee41534f3a4262f9453c7da SHA-1: ca2580eb3d15c527ba43575561e3492126d8ec5f SHA-256: 9e613eaaffc8627d1bee92f4a9db4aea3881137cb4d0585a59a8de44814de052
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The sample was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The 'SE_CALLBACK_LURE' heuristic strongly suggests a callback phishing or tech-support scam pattern, where the document prompts the user to call a phone number. While no executable scripts were directly extracted, the PDF structure and external URL suggest it may exploit vulnerabilities or lead to a malicious payload download, aligning with exploitation techniques.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/aws?utm_term=big+green+egg+acacia+table+cover
    • https://cdn-cms.f-static.net/uploads/4486775/normal_600ef4c7d6332.pdf
    • https://static.s123-cdn-static.com/uploads/4504047/normal_5fec93db3cc03.pdf
    • https://bilujadaju.weebly.com/uploads/1/3/4/7/134772480/959b78eb9ac8aff.pdf
    • http://novijixonusasu.mywebcommunity.org/64960344643.pdf
    • http://hightrade.club/solekipub7pr6i.pdf
    • https://nefosedinipal.weebly.com/uploads/1/3/4/6/134698739/jijaxabur.pdf
    • https://zugowexilib.weebly.com/uploads/1/3/5/3/135349829/rawoj.pdf
    • https://cdn-cms.f-static.net/uploads/4479707/normal_6027fda334b78.pdf
    • http://bisapusid.mypressonline.com/washington_state_football_game_on_tv.pdf
    • http://maslovauto.ru/birdpapa_bubble_crush_game6p5xf.pdf
    • https://zeteleginogegop.weebly.com/uploads/1/3/4/5/134526156/povuwojigusonokefa.pdf
    • http://mainsale.pro/skywalker_12_trampoline_weight_limitdvw7b.pdf
    • http://itsamorem.com/hillsborough_county_school_calendar_2019_through_202092816.pdf
    • https://nedamekiwuj.weebly.com/uploads/1/3/1/3/131379605/8127258.pdf
    • http://good-production17.site/tazetanamizeginuxozu10eoy.pdf
    • https://static.s123-cdn-static.com/uploads/4421464/normal_5fcfa0a7930d3.pdf
    • https://cdn-cms.f-static.net/uploads/4387924/normal_60428ae3838a2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7bc.bin
07fdcbb4a508277d93d94b29b6e94ed7221e2ba64ea3579fef9c65f08dba445f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7BC 5036 bytes
font_01_sfnt_off000108fc.bin
e379107621b11b993b0530b0655ba75b5331f58f237c9b96bca8c62f3733c353		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108FC 11464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.