Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8c67b5761328d97…

MALICIOUS

PDF

78.1 KB Created: 2021-03-21 05:05:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46a9cc2122b40be57ccdfec446e729fa SHA-1: fdff97c6b66eddead5ed0588921e4870f28260bf SHA-256: a8c67b5761328d971b616af8420b18808fd93cc53d0f51039203ce284300b0c2
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics as malicious, including a high-severity rule indicating an image-heavy PDF with an invisible link to a suspicious domain. The ML classifier also assigned a very high probability of maliciousness. The embedded URLs point to domains commonly associated with malware distribution, suggesting the document is a lure to download a secondary payload. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=aqualogic+inline+heater+manual
    • http://golosa-spasibo.ru/singer_6235_manualfrkpf.pdf
    • https://cdn-cms.f-static.net/uploads/4425921/normal_6037c987594d4.pdf
    • http://phrensy.co/aota_occupational_therapy_schools4cqlh.pdf
    • http://detonic-italia.website/tap_tap_fish_mod_apk_happymodxzebm.pdf
    • https://static.s123-cdn-static.com/uploads/4491159/normal_5fe3e3953b8f4.pdf
    • http://mikazuxo.mypressonline.com/commodore_64_emulator_windows_xp.pdf
    • https://cdn-cms.f-static.net/uploads/4393506/normal_60525f6c4759e.pdf
    • http://regsenatvumen.website/fupokibatazokevaruzegoue5zj.pdf
    • https://cdn-cms.f-static.net/uploads/4476765/normal_604f78cc092a7.pdf
    • http://carbackseat.site/72939554268zehhi.pdf
    • http://autocredit.moscow/feliz_navidad_chords_michael_bublekmkqi.pdf
    • http://trycabinets.xyz/dogekanttlhz.pdf
    • http://securityofusersdevicesonline.site/nukamofabody941.pdf
    • http://roboludawu.mywebcommunity.org/how_do_you_solve_a_2x2_rubiks_cube_in_two_moves.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/2753736e-bd00-4ada-9b62-5afe03777953/nofodukabinosuxowureb.pdf
    • https://uploads.strikinglycdn.com/files/af17cf70-053c-4614-a0fd-d12dda2d3a80/why_does_my_ac_light_keep_blinking.pdf
    • https://uploads.strikinglycdn.com/files/e5f9dc44-7ea8-4030-9ca7-7d8837f8720e/how_to_reset_schlage_electronic_lock.pdf
    • https://uploads.strikinglycdn.com/files/f4fe67bd-45e2-408f-a76b-664eec137ba3/the_long_winters_band.pdf
    • https://uploads.strikinglycdn.com/files/b247fc90-c01b-4bde-8c44-ad8bc42eb4b4/principles_of_real_estate_1_practice_exam.pdf
    • https://uploads.strikinglycdn.com/files/db601430-b076-47c0-a50f-3191d87930a7/resumen_de_los_juegos_del_hambre_parte_1.pdf
    • https://uploads.strikinglycdn.com/files/9a1301c8-2963-470b-9d72-f80e0090e9fb/apple_ipod_nano_2nd_generation_battery_replacement.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4a7.bin
90dee4f3815cc190230eba0a6adcfa274f9bc6cda1fdb40a5f185d340fb53bb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4A7 5032 bytes
font_01_sfnt_off0000f58c.bin
405115cb607c6612cf81969404768af55d23ba99e3bb15b037ce0330033adc16		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF58C 11572 bytes
font_02_sfnt_off00011cd8.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CD8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.