Malicious PDF — malware analysis report

Static analysis result for SHA-256 a29eb132dd6220fc…

MALICIOUS

PDF

75.6 KB Created: 2021-05-12 12:32:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 68c4e05182a878045429b869543a116e SHA-1: 50aa7c96f05adcb30813e19ac24af7cebc77ca6c SHA-256: a29eb132dd6220fc18c23e9a94da944654bdc6ebaaa4b036246ca92c81f7362e
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by multiple heuristics, including a critical ClamAV detection and an ML classifier. The embedded URL and the document body, which prompts the user with a business-related question, suggest a phishing or scam attempt. The presence of PDF-specific heuristics and embedded URLs indicates the document is designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=what+is+your+business+activity+code
    • https://static.s123-cdn-static.com/uploads/4378160/normal_5fc9460906998.pdf
    • https://cdn-cms.f-static.net/uploads/4403429/normal_6049efd383089.pdf
    • http://setofexperience.site/tilupseznx.pdf
    • https://cdn.sqhk.co/nogugojuri/eT7SQge/dixidujafekofolonove.pdf
    • https://cdn.sqhk.co/nesadatifu/X5cgggc/extinction_zombie_invasion_mod.pdf
    • http://xtreme-sport.ru/cant_open_garageband_filex1md3.pdf
    • http://sanatoriy-izumrudny.ru/togawumojs0z07.pdf
    • https://static.s123-cdn-static.com/uploads/4391621/normal_5ff181ef9716e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://bb491b24-4c81-4ccc-8daa-bf1baeb171c2.filesusr.com/ugd/93c935_388edcdcac384dafaa01e7576156290e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0e529b49-ecad-41a6-8f2d-405c173d43c6/53012539306.pdf
    • https://s3.amazonaws.com/fuwenoxuzasila/mopig.pdf
    • https://uploads.strikinglycdn.com/files/4ce3d548-0172-496b-aabc-fc747252617e/how_cold_is_dimethyl_ether.pdf
    • https://s3.amazonaws.com/kibavutibeved/cules_son_los_animales_que_se_encuentran_en_peligro_de_extincin_en_nuestro_pas.pdf
    • https://uploads.strikinglycdn.com/files/bdf6b902-360c-4140-bb4f-0241dfa45bd1/funny_in_farsi_chapter_24_summary.pdf
    • https://02bc4616-4eae-4b38-b2c9-0e654f754ee0.filesusr.com/ugd/069df5_2b42a7fd87224214856f8dcc1bff988c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/879d9789-0d61-4de4-940c-a6391e6a3444/zujabakozixeguribopa.pdf
    • https://s3.amazonaws.com/telasebisu/datefofuzevimasidu.pdf
    • https://938a05da-450f-421e-a59b-0448473a402a.filesusr.com/ugd/cb5dea_47a2e00208b84826bd22ea71b3bf6cbd.pdf?index=true
    • https://s3.amazonaws.com/mibiwivanetuj/solving_equations_with_one_variable_worksheet.pdf
    • https://s3.amazonaws.com/gulapore/konakeluvusekej.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9c8.bin
41c14201370de2754c5efeeb140e36c65c002efe1d051a3f2fd5e71c837c5e1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9C8 5308 bytes
font_01_sfnt_off0000fbe5.bin
9f83107facbe18a4e2733e39d4bf663cf8ae450d54fd1f705ae007bf583a5e3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBE5 11076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.