Malicious PDF — malware analysis report

Static analysis result for SHA-256 a17cbc31f8ac2989…

MALICIOUS

PDF

67.5 KB Created: 2021-03-29 19:04:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6eedc0f216d0d1abcf7949ccf3cffa6c SHA-1: 4a34e86c1969d999980baa1ab2d987a5aab64969 SHA-256: a17cbc31f8ac2989f348cc8ef9979b748776454106250e1d7b715139460c3c27
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by multiple heuristics and a machine learning classifier as malicious, specifically identified as a phishing trojan by ClamAV. The 'SE_CALLBACK_LURE' heuristic indicates the document's content is designed to trick users into calling a phone number, a common tactic in callback phishing and tech-support scams. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it may contain or link to malicious content, potentially leveraging JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/aws?utm_term=route+48+bus+schedule+sunday
    • http://stc-l.ru/bidezemcwrai.pdf
    • https://cdn-cms.f-static.net/uploads/4446280/normal_5fd375b2ceb48.pdf
    • https://static.s123-cdn-static.com/uploads/4493602/normal_5ff4c40ec5673.pdf
    • https://cdn-cms.f-static.net/uploads/4418791/normal_605277afaa1ea.pdf
    • http://gloslides.com/dazewufkljy.pdf
    • https://static.s123-cdn-static.com/uploads/4387412/normal_5ff462a4e5df3.pdf
    • https://cdn-cms.f-static.net/uploads/4500910/normal_604a9af7c17bf.pdf
    • http://soldonlittleton.com/research_design_qualitative_quantitative_and_mixed_methods_approaches_ebookougx6.pdf
    • http://wspring.space/28772475855dapti.pdf
    • http://kprovk.xyz/firefox_marketplace_app_for_jio_phoneqciaw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/40b20c31-9966-4fd3-8367-f08264d230f3/bipolidek.pdf
    • https://uploads.strikinglycdn.com/files/34f9b28f-f015-4ec4-a23e-6ec7a7c78395/python_3_dictionary_update_method.pdf
    • http://febiked.rf.gd/29366652889.pdf
    • https://uploads.strikinglycdn.com/files/5104f1c8-5bb5-4753-bf92-99ccc1220293/poulan_pro_pp4218a_repair_manual.pdf
    • https://uploads.strikinglycdn.com/files/2f8d21ad-0d91-4069-a494-e1b08616b85e/42928913923.pdf
    • https://uploads.strikinglycdn.com/files/e8008847-c950-4554-9629-e21b3e84f679/39027264213.pdf
    • https://uploads.strikinglycdn.com/files/0d9911ed-bf87-4823-9ce3-c21c8fc830b3/35991069607.pdf
    • https://uploads.strikinglycdn.com/files/92c121e0-1791-434f-b033-a5dea6b1d721/drag_and_drop_not_working_in_outlook_2016.pdf
    • http://mefafetutibigaw.epizy.com/kenuditurufafi.pdf
    • https://uploads.strikinglycdn.com/files/00f56a11-6c73-4333-995a-878db67c844f/46363126365.pdf
    • https://uploads.strikinglycdn.com/files/b1b36e84-fd6c-4c57-ad4b-2cd42cc0b76f/are_expired_supplements_still_good.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c94a.bin
cb37dff54f30b63dd1d6ebc1df0f620f8effb7dce4dd97fa393dc59f9ad6c55b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC94A 5464 bytes
font_01_sfnt_off0000dbea.bin
4962877c3ebf634dd15ad57abe3b89b7175fbad2d1679ded481f267213704c50		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDBEA 10720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.