Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5f6f1a212fd0079…

MALICIOUS

PDF

75.8 KB Created: 2021-03-21 23:08:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65529e997128c06352ed9b6c7392420c SHA-1: 72f91101a5cec1d7305a0c351884ebe235e50457 SHA-256: a5f6f1a212fd0079590c0a177c78602cbdbf5668cd83c59d140980a6792f6164
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a lure related to 'Nba live unlimited coins and cash apk', and includes an external URI pointing to a suspicious domain. ClamAV detection and ML classification strongly indicate maliciousness, likely for phishing or malware distribution. No scripts were extracted, but the presence of external URLs suggests an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=nba+live+unlimited+coins+and+cash+apk
    • https://cdn-cms.f-static.net/uploads/4389830/normal_604738e51dbaf.pdf
    • https://static.s123-cdn-static.com/uploads/4446770/normal_6009278fc2512.pdf
    • https://cdn-cms.f-static.net/uploads/4449618/normal_5fd9bc718bbf4.pdf
    • http://biotringel.shop/ledos6wxb0.pdf
    • https://rabusefikitane.weebly.com/uploads/1/3/5/3/135314736/1885775.pdf
    • https://static.s123-cdn-static.com/uploads/4475197/normal_60096c7498035.pdf
    • http://sadovik.me/99219517767jzc9y.pdf
    • https://jonumijam.weebly.com/uploads/1/3/0/7/130739239/vafojiwid.pdf
    • https://cdn.sqhk.co/gumojitoxowu/Yhbgyic/61632070883.pdf
    • https://cdn.sqhk.co/zudatona/U9igTbc/26324249194.pdf
    • https://bagerinev.weebly.com/uploads/1/3/1/6/131636948/faxifasaridapamitafa.pdf
    • http://differencecheats.net/vuzolimesozamudivoa8tdo.pdf
    • https://cdn.sqhk.co/xapawavuma/c42Tias/wheel_scale_mod_apk_download.pdf
    • https://gigufeti.weebly.com/uploads/1/3/4/6/134633464/beb38.pdf
    • https://bawigadumifop.weebly.com/uploads/1/3/4/4/134494387/semidelu.pdf
    • https://cdn.sqhk.co/rowazazapa/6gcTggc/rabarovezek.pdf
    • https://cdn.sqhk.co/ramidazumiko/icbcjcN/sportsmax_live_streaming_cpl_2019.pdf
    • http://limaxinsto.xyz/california_registration_renewal_fee_report_attorney_generalnwzdh.pdf
    • https://cdn-cms.f-static.net/uploads/4459788/normal_5fdada5ed950a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://pibozaxasoloje.rf.gd/58658899618.pdf
    • http://bamusob.rf.gd/movies_new_2018_hd.pdf
    • https://2a009ac4-5770-49f2-ae16-4ce107243443.filesusr.com/ugd/59deca_be6cc19b359141e4923b020d133a1c7d.pdf?index=true
    • https://ab25a8b3-4d80-4d4b-93a1-c1347014fa7c.filesusr.com/ugd/8d0191_483fcd23651d43eab9a4eb78a10f9184.pdf?index=true
    • https://146c8b6c-0b46-450b-8ed0-b45f1e2a4974.filesusr.com/ugd/b58d21_0ca1fc38767e4984ad3e909ff084e8fe.pdf?index=true
    • http://doxufezusaru.epizy.com/zejasunuraxeki.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e98f.bin
05d7c11c2b7bfb43782c1983385b65c74b075715a80087008e1e4d6f5dee3279		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE98F 5448 bytes
font_01_sfnt_off0000fbfb.bin
ee55fec15086659825675cdafe57645bf3f9aa6b33e2754325771b0915667919		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBFB 10936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.