Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5790449f0a87be3…

MALICIOUS

PDF

69.7 KB Created: 2021-02-15 07:49:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0a976d4a1092741773b83297cea40474 SHA-1: 7d823c68128a3fe61f9fa01cef7ba7a4114a3345 SHA-256: a5790449f0a87be3a02d079681c11d0e6d95e4b7e2d7f8991b26662c2caafbd4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV detection, indicating malicious intent. The embedded URL and numerous other extracted URLs point to external resources, suggesting the document is designed to redirect users to potentially malicious websites. The presence of PDF_URI and EMBEDDED_URL heuristics strongly suggests the document's primary function is to facilitate access to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=gerber+06+manual+for+sale
    • https://moredotaze.weebly.com/uploads/1/3/0/7/130776260/zaruvoxisirokupetowe.pdf
    • http://ru-1.casa/5044300475n5dq8.pdf
    • https://kaxesudinebeg.weebly.com/uploads/1/3/1/3/131379803/xirefafopexepotivopu.pdf
    • https://cdn.sqhk.co/kajipazuto/ijTt8ji/biwog.pdf
    • http://instasurprise.online/fekakogenedapco.pdf
    • https://cdn.sqhk.co/kavejufa/ZhjGihT/kurasasupafa.pdf
    • http://dream-stat.ru/jisipugazawez461q1.pdf
    • http://migerov.xyz/fowavemekonipavigimidyfla.pdf
    • http://segway-wheelchair.ru/443717783270j83d.pdf
    • https://sijalafad.weebly.com/uploads/1/3/4/8/134887162/1c7adbc8e2f0a.pdf
    • http://ludshop.xyz/69287976358gxmip.pdf
    • http://pop-marketplace.ru/stackers_jewellery_box_amazonxl5z7.pdf
    • http://dwatches.site/running_walking_tracker_appzwo0d.pdf
    • https://cdn.sqhk.co/gigemuji/jfgfhbD/31164091307.pdf
    • http://fb-copyright-help-from.com/tasimakopupuxtkt4j.pdf
    • https://cdn.sqhk.co/wirubetena/jdqid1o/sivuf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb61.bin
ad0c66ead96e7cec01e6369b1a2e87e6d412b7edab27feb959bfc685e7f266d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB61 5380 bytes
font_01_sfnt_off0000dd96.bin
d528d9eafd109e5d0405a1903418400e8e2db6ccbb88deb97136443826d64155		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD96 13784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.