Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5c5bcfedd065309…

MALICIOUS

PDF

80.8 KB Created: 2021-03-27 15:00:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 189d8343beae00ac611bebbd14942ab4 SHA-1: 1fa9ddaacb3504433acd7b051de6d5dc4099abc5 SHA-256: a5c5bcfedd06530975763d5269744691c4bd146151019806292a080c1492e7bf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that mimics a search result, likely intended to trick the user into visiting a malicious site. ClamAV and ML classifiers strongly indicate maliciousness, and the presence of external URIs points to a phishing or credential harvesting attempt. No scripts were extracted, but the PDF structure and embedded URIs are sufficient to infer a phishing attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=unshakeable+tony+robbins+goodreads
    • http://nasporte1.fun/financial_institutions_instruments_and_markets_9th_editiong3fab.pdf
    • http://housefashion.ru/how_to_backup_iphone_on_mac_catalina4d0qd.pdf
    • http://tufataf.22web.org/kabhi_bandhan_juda_liya_song_free.pdf
    • http://alex-chekalev.com/how_to_put_passcode_on_gallery_iphone9hkyt.pdf
    • http://216tilford.com/moviserumupulonivu79e99.pdf
    • http://on24-system.club/what_of_this_goldfish_would_you_wish_critical_vocabulary_answersunxv6.pdf
    • http://216tilford.com/mizanekerebufajirukogizce.pdf
    • http://idealicaufficiale.website/40185392377jguy6.pdf
    • http://busforpay.online/what_is_a_good_diet_plan_for_cutting66cyl.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/desekusoxi/baidu_pc_faster_terbaru.pdf
    • https://s3.amazonaws.com/lokijuronig/tananamubemiwep.pdf
    • https://uploads.strikinglycdn.com/files/b25240f6-0035-4468-a7ce-feaba6aecb18/how_do_you_set_an_automatic_outdoor_light_timer.pdf
    • http://viwuleraxukopiz.epizy.com/importance_of_effective_communication_skills_for_students.pdf
    • https://uploads.strikinglycdn.com/files/f93d0c5a-fc6d-4c77-bd39-97796401ce82/mupekipebutinimovikogawas.pdf
    • https://f26e6bca-ce10-4524-9610-ed5ef7c8d48b.filesusr.com/ugd/ac8c68_92e52f3fc2844b0fa55ad68da7fe305b.pdf?index=true
    • https://1e16da7b-5b4f-4122-a3c4-5c88c9d97cf7.filesusr.com/ugd/83f04e_ac96bab4e5b645a7af89d4ebca41d858.pdf?index=true
    • https://s3.amazonaws.com/satedafadusizo/zakolulekeziwe.pdf
    • https://s3.amazonaws.com/gozilum/vanepefapodupep.pdf
    • https://22e365c6-0853-42e1-82f8-83473bf9c0bf.filesusr.com/ugd/217d68_c44d6727ed254850b6043657fccb83ff.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d96e90e9-d9c2-4da5-a2df-7472c7b4549e/how_to_share_a_facebook_memory_on_instagram.pdf
    • https://850a36a1-966c-46c3-86ed-e15bcb5778a7.filesusr.com/ugd/ede58b_8f0fff867b7140f18e6450257926381a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c3ff126e-b4d1-462d-b21e-7ac43dc0205c/kikumo.pdf
    • http://nalokematu.rf.gd/11137592453.pdf
    • https://03df74f7-894d-4c84-999e-da2b33eb06f5.filesusr.com/ugd/4c7733_0f52b7dd38704824afc80d9ef37af6c5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa6a.bin
b277e5a06bbd8657639ec5f0390e376d6dcdd60035fa869ad3c3a9348d9dc708		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA6A 5384 bytes
font_01_sfnt_off00010cb6.bin
faa9b9625986a5cf2fcb7264d5a07f1eeff669652fd6169b457bc37a1b415e5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CB6 12868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.