Malicious PDF — malware analysis report

Static analysis result for SHA-256 a64b7b4a02d3ee69…

MALICIOUS

PDF

74.5 KB Created: 2021-02-16 17:16:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 755510dbb818bd2b4705c4452716b5c5 SHA-1: eceb2bdcc522ff307507c42dd7aa94c0ef2f3619 SHA-256: a64b7b4a02d3ee69c034e318d67f03627d42d6a2899cf1467deeecae8005b33f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded external URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of embedded URLs and the overall malicious verdict strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=canon+mx432+scan+to+email
    • https://cdn.sqhk.co/mojobugoge/hcgdkie/godsmack_keep_away_video_meaning.pdf
    • https://cdn.sqhk.co/sebazisop/ihhpgiq/winker_blinker_plug.pdf
    • https://cdn-cms.f-static.net/uploads/4488316/normal_601708c2935b8.pdf
    • https://cdn.sqhk.co/fasotaluvose/dJieDgg/virus_plague_pandemic_madness_mod_apk.pdf
    • https://static.s123-cdn-static.com/uploads/4412896/normal_5ff5793e21763.pdf
    • https://cdn.sqhk.co/nazabimon/Nogihaq/moto_rider_game_free_download.pdf
    • https://static.s123-cdn-static.com/uploads/4413223/normal_5ff2c870ac1e4.pdf
    • https://cdn.sqhk.co/pininipata/grvhfyH/4_pics_1_word_level_2248_answer.pdf
    • https://cdn.sqhk.co/tigadikem/hbij4Uu/dororo_anime_2019_wiki.pdf
    • https://cdn.sqhk.co/laxefotogulo/jijamTZ/mofapabokopenurivo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gowupuzokowuxes/bootstrap_form_multiple_sections.pdf
    • https://s3.amazonaws.com/gizonukorad/79097682486.pdf
    • https://s3.amazonaws.com/jutenojamega/android_carousel_picker.pdf
    • https://s3.amazonaws.com/nisiwanolom/3736060062.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e717.bin
75642058d0af3fecea1dd52cf9a6f664abb9001623d358fa9b2b4ceb73df46c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE717 5208 bytes
font_01_sfnt_off0000f8c8.bin
5c3c9aabb76870bc3aa16d483c0e100081c146e589443ee7c0187366f2f1a56f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8C8 10540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.