Malicious PDF — malware analysis report

Static analysis result for SHA-256 a84f42c3f9427366…

MALICIOUS

PDF

175.8 KB Created: 2021-03-16 11:27:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e794210c694b921dc0d00604e81d5efa SHA-1: 6bae4260119771550885f5ed1517d55ad58aec60 SHA-256: a84f42c3f9427366e4bd3c09f643232d11587840fc2a41d61e2b4f8f82e53015
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or credential harvesting attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to a malicious site, potentially for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=al+quran+juz+24+pdf
    • http://zovitidagawas.sportsontheweb.net/21502141895.pdf
    • http://kufafukedexepix.mygamesonline.org/what_is_the_healthiest_cheese_to_get_at_subway.pdf
    • https://tazanuna.weebly.com/uploads/1/3/5/9/135977230/rifowikebudowez.pdf
    • https://benofafixumiwif.weebly.com/uploads/1/3/4/4/134497886/xoladiridaxo_zalewobulababan_mazej_ribadetirexox.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c63ca81c-6df4-4ec3-bc2e-8508f29a6879.filesusr.com/ugd/d48fe3_466738107c32473b9abede2f2c8d74a6.pdf?index=true
    • https://dacf5b84-f80e-4bd8-bb7f-22aad20a1cd8.filesusr.com/ugd/285be4_dbb56cb264544079b21db63d7f93dc44.pdf?index=true
    • https://s3.amazonaws.com/zamuriza/aaahc_manual_2018.pdf
    • https://s3.amazonaws.com/kelageketisefuv/ancient_history_sourcebook_the_twelve_tables_answers.pdf
    • http://xuwuwum.epizy.com/zijus.pdf
    • https://4eb3a9b5-ca6a-4b2a-896e-878abc754f3b.filesusr.com/ugd/f1ab86_ea0fff02772646df8ee86d96bb0eba98.pdf?index=true
    • https://s3.amazonaws.com/samopakamefap/febosizo.pdf
    • https://71347f20-8353-4153-bebc-dd2a28b3a5cf.filesusr.com/ugd/a382ee_75d490f57eb5426bba1d297db73d2f07.pdf?index=true
    • https://8eccd3b7-fb20-4588-a5b5-4d8c58591879.filesusr.com/ugd/0e6328_bb73cb37f6ec4626af11abb286364833.pdf?index=true
    • http://zakivijojinikij.epizy.com/complex_sql_queries_examples_with_answers.pdf
    • https://s3.amazonaws.com/jexijer/lafepalinutuj.pdf
    • https://989244f3-426d-4557-b4f1-0018dac9047c.filesusr.com/ugd/57c819_cec73807235a447481f9f136463e1102.pdf?index=true
    • https://12c9c681-cafc-4f88-93da-cb6f471fd49a.filesusr.com/ugd/f09a9d_1650bc8a85d242c6b6660635422fe967.pdf?index=true
    • http://jirarawoxi.rf.gd/nubukofetojokara.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0002711f.bin
8338d434c39089900ecc94a6a315f1e91d013b9424fc6d155692d4b7beda155b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2711F 35384 bytes
font_00_sfnt_off0002313e.bin
ae2fe050facd9347bb1009f612c088185daaebc79a247b417c55829f3931eb79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2313E 1596 bytes
font_01_sfnt_off00023949.bin
40dccb2338a0514b961df9ae1851f3c1624a7a9d350b710191cab3fd3909e6ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23949 5316 bytes
font_02_sfnt_off00024b86.bin
143236bd8ab3cf7357f229515fdeb7f27a5edcc5f12b0c619dd2c5a0d93d1345		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24B86 11024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.