Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8cccdc62d45a182…

MALICIOUS

PDF

78.1 KB Created: 2021-04-17 23:25:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c4232a5bd416810cbed5d0880083cad SHA-1: 5903470b37b1c521699bb2f1e72d94a5cf1832d7 SHA-256: a8cccdc62d45a182f523131626920539506d9db3bab87ba42f81e22bc1e8419c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URLs, with one prominent URL pointing to a domain associated with phishing activity. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect users to a phishing site disguised as a manual. No scripts were extracted, but the PDF structure and embedded URIs suggest a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=line+6+bass+pod+pro+manual
    • http://busibear.com/720227325350na2u.pdf
    • http://kismyketio.com/44256149287mmxn2.pdf
    • http://azalea.store/battle_stick_dragon_tournament_legend_mod_apk_downloadqdusb.pdf
    • https://vuduzilir.weebly.com/uploads/1/3/1/8/131857383/b5b197.pdf
    • http://gudutisiluzew.mypressonline.com/3330288239.pdf
    • https://komamezumef.weebly.com/uploads/1/3/1/3/131398541/maviremojene.pdf
    • https://cdn-cms.f-static.net/uploads/4380383/normal_605180d06d95e.pdf
    • http://homebig.space/giduwu70b59.pdf
    • https://cdn-cms.f-static.net/uploads/4417648/normal_601a7b04e4178.pdf
    • http://opensalle.xyz/armattan_rooster_manual0h49w.pdf
    • http://bobatorosas.mypressonline.com/triangulated_irregular_network.pdf
    • http://bilkan.fun/bemikinofamenevebiduvilieqpvt.pdf
    • http://legiontry.online/xarajurabexepodetudor50qk.pdf
    • http://leftoutclub.com/history_of_christianity_in_america_book7rbcw.pdf
    • https://cdn-cms.f-static.net/uploads/4384483/normal_604b952a8b4ba.pdf
    • https://static.s123-cdn-static.com/uploads/4446490/normal_60019a6cc2010.pdf
    • https://xegubivagemegi.weebly.com/uploads/1/3/4/4/134481439/1144515.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/43a89a25-dbda-46a8-b2bc-f1a68a49ec00/funurel.pdf
    • https://uploads.strikinglycdn.com/files/4745cdd3-2bb6-4c96-a07e-3693fa4b81e4/34320107479.pdf
    • http://bifiwapaz.onlinewebshop.net/zoom_cable_modem_3.0_series_1094_specifications.pdf
    • https://uploads.strikinglycdn.com/files/3f4c7815-7365-4c1e-a0ff-b2b6e7ea6c0e/nazokajotinimulawatok.pdf
    • https://uploads.strikinglycdn.com/files/eff65041-468c-42de-9e9e-38784906d7b7/how_to_add_products_to_wix_store.pdf
    • http://fatavetotujel.onlinewebshop.net/vienna_airport_map.pdf
    • https://uploads.strikinglycdn.com/files/71df809c-e01e-41c6-933f-59b84dca0cce/define_unity_of_place_literature.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f15f.bin
cb73a82c92ff9fb84e31500ae1398d64b4d4b5083af7420600a230a602bd13f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF15F 5340 bytes
font_01_sfnt_off0001036a.bin
1b683c3e880e7791c977d4218f3f5c63fc0d1b15be730879b5dbb54369830413		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1036A 11240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.