Malicious PDF — malware analysis report

Static analysis result for SHA-256 a44ec930a118e961…

MALICIOUS

PDF

79.8 KB Created: 2021-03-24 16:39:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ff2b8b02bb7015ae1dd16195fae3ee4 SHA-1: b9bbf063d79a9348defca28b3489e6ed5fc199fa SHA-256: a44ec930a118e961acf3ccc7e357164172ccb6d2308b0b01295ba8683de983ce
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URL that mimics a search query for a book title, likely intended to trick the user into visiting a malicious site. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or trojan PDF. No scripts were extracted, but the embedded URL is the primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=a+and+p+john+updike+pdf
    • http://profibrend.ru/79346650194fxbmo.pdf
    • http://afracheat2.xyz/xegilevb7h3.pdf
    • http://demask.fun/how_to_tell_if_ryobi_charger_is_badf7l27.pdf
    • http://1pokypki.website/58205899553kqvkp.pdf
    • https://cdn-cms.f-static.net/uploads/4370764/normal_600d04136e3c5.pdf
    • https://cdn.sqhk.co/fudamozomeb/kia15hc/word_crush_level_849.pdf
    • https://cdn-cms.f-static.net/uploads/4460980/normal_603b1f2b82b04.pdf
    • https://cdn.sqhk.co/letarezetap/iihhef5/96373328558.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nawuvud/pofusopuxine.pdf
    • https://ac65beef-1c88-4b01-a948-251493ed82f2.filesusr.com/ugd/09857b_adde14a19d944b10bd9021c3f0d457c4.pdf?index=true
    • https://s3.amazonaws.com/jemisajoda/nesowodutodelug.pdf
    • https://uploads.strikinglycdn.com/files/894e141c-d408-4223-b7c8-8adab070c2e3/how_to_get_a_safeway_club_card.pdf
    • https://uploads.strikinglycdn.com/files/56c98027-48a5-4040-a01c-d3913d4e7959/73113282739.pdf
    • https://s3.amazonaws.com/viwoxuz/nivonapovadusoxogo.pdf
    • https://26c1613e-5d28-4fa3-89cb-3d2c9ab59faf.filesusr.com/ugd/fe83c3_945bb2cc5ea64157b989df83d166c52f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d059b381-7309-4943-b374-9c36b4c123e5/keurig_mini_black_friday_amazon.pdf
    • https://a62e46b8-d933-4087-892c-e5439cec6991.filesusr.com/ugd/e9cba9_9d1c21edc26643deaff53d30b4efb6c0.pdf?index=true
    • https://s3.amazonaws.com/vebenok/jovalobulezituk.pdf
    • https://uploads.strikinglycdn.com/files/1a6936f8-25f8-4a38-af2a-39f20a932629/hayward_powerflo_matrix_pool_pump_parts.pdf
    • https://uploads.strikinglycdn.com/files/52acc196-23a9-4600-851d-3dc1f3f6c771/dasomawusamazejas.pdf
    • https://72dfff08-f6cb-4f5d-aaac-ebe71175d6a6.filesusr.com/ugd/c268f7_160ff5a8e7e943a7bf5ac7290535fc36.pdf?index=true
    • https://s3.amazonaws.com/sepawi/61196813375.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc5c.bin
870a723667b86ab920e440b46641896122b7e3e314bcf5f619c6f2669e7caf97		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC5C 4952 bytes
font_01_sfnt_off00010d42.bin
358dc25548b2b119cb1d0d2e402a3c26a80b7637a554183258fe05311967e39f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D42 10736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.