Malicious PDF — malware analysis report

Static analysis result for SHA-256 a906c87d51e48a24…

MALICIOUS

PDF

82.5 KB Created: 2021-03-27 19:04:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 608430a38bbaa28de6b2c53f7a672e1b SHA-1: a49678a4f4457364147cc4ed1c5bc93c2d0dafb5 SHA-256: a906c87d51e48a240d1dc359a0e269fe2eb62d683971ff3a3d57c428f827a9fb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain, identified by heuristics as a potential phishing or malicious content delivery vector. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were directly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=gram+formula+mass+worksheet+pdf
    • https://cdn-cms.f-static.net/uploads/4387702/normal_5fd1c0b25371a.pdf
    • https://cdn.sqhk.co/guregame/UBOijge/97999431021.pdf
    • https://static.s123-cdn-static.com/uploads/4498882/normal_5fcaaa0a94189.pdf
    • https://cdn.sqhk.co/gogojiranat/CU5PKid/rival_knights_gameplay.pdf
    • https://cdn.sqhk.co/xisalaximel/GheibrZ/72008948393.pdf
    • https://static.s123-cdn-static.com/uploads/4381788/normal_6009406f7a127.pdf
    • https://cdn-cms.f-static.net/uploads/4388157/normal_5fe6f6eb32e88.pdf
    • https://static.s123-cdn-static.com/uploads/4487419/normal_6000d7da4a49d.pdf
    • https://cdn-cms.f-static.net/uploads/4410201/normal_60250bab74dd6.pdf
    • https://cdn-cms.f-static.net/uploads/4388627/normal_60570688221f1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mejobu/bapozanojafakaned.pdf
    • http://fudavifakafolid.rf.gd/vexam.pdf
    • https://uploads.strikinglycdn.com/files/6cec4a4e-43c5-407b-8131-82f765907ca0/what_is_54321_mean.pdf
    • http://guzumirofega.epizy.com/rojukutuwa.pdf
    • https://uploads.strikinglycdn.com/files/69eb0572-89e2-4598-910b-4c174f5f5394/hl_2270dw_wireless_setup_ipad.pdf
    • http://gazugitub.epizy.com/tilepebeja.pdf
    • https://s3.amazonaws.com/luborinizu/how_to_fix_a_leaking_front_loading_washing_machine.pdf
    • http://rubuvajaroxe.epizy.com/kedeze.pdf
    • https://s3.amazonaws.com/galinikagopit/70546956391.pdf
    • https://s3.amazonaws.com/xebuvuwov/summary_of_chapter_13_watsons_go_to_birmingham.pdf
    • https://uploads.strikinglycdn.com/files/19d04b6f-5425-4c81-82ab-f8a4c5b62453/55868257731.pdf
    • https://uploads.strikinglycdn.com/files/7909691f-873d-4f17-b2cd-ecfe6a7fb306/jedig.pdf
    • http://fazufunove.rf.gd/16397333819.pdf
    • https://uploads.strikinglycdn.com/files/53e3872c-f005-4959-91f2-c5343e224236/dajokudemotogipizon.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100ec.bin
efa5b24e7db333d683cc8a3094d5478300c80aea1ffaf542befc20650543856d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100EC 5468 bytes
font_01_sfnt_off00011371.bin
26569c5bcd58afa46a78b70b593253f8715860aac0824b9f21c14d3e1fdf2b76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11371 12440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.