Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9ec4bcc1fddc578…

MALICIOUS

PDF

74.6 KB Created: 2021-02-21 21:09:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c79d7fd187936e83efe98e00d975e01b SHA-1: 7bc0f69bc876687a524766b16c75b97726764ce7 SHA-256: a9ec4bcc1fddc5789f4e90b7b3f26f50123302da6807b35e19a6efc3db7b431d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to a suspicious domain, likely used for phishing or distributing further malware. The PDF structure and embedded content suggest it's part of a phishing campaign, potentially using a lure related to product specifications.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/aws?utm_term=amplificador+mtx+terminator+tna251+especificaciones
    • https://cdn.sqhk.co/gekakisoduvo/7dbihtB/nurasow.pdf
    • https://cdn.sqhk.co/wujugojuse/gdgimLC/7_level_185.pdf
    • https://cdn.sqhk.co/moxawitab/hjhif8Y/jufovusifowebaz.pdf
    • https://static.s123-cdn-static.com/uploads/4426263/normal_5fcdd11a07efe.pdf
    • https://static.s123-cdn-static.com/uploads/4417419/normal_5fe19008376a5.pdf
    • https://cdn.sqhk.co/borefigux/FeHzJij/woboripesisugiripus.pdf
    • https://cdn-cms.f-static.net/uploads/4365570/normal_601f57542aa83.pdf
    • https://cdn.sqhk.co/walumupo/VhfOv46/mukovuwetimefes.pdf
    • https://static.s123-cdn-static.com/uploads/4408588/normal_5ff5eb991b0a7.pdf
    • https://cdn-cms.f-static.net/uploads/4456712/normal_600f608a01b40.pdf
    • https://cdn.sqhk.co/letaziseb/jaNgfjj/police_chase_houston_beltway_8.pdf
    • https://cdn.sqhk.co/jofutagi/bjjdBgQ/fovolevod.pdf
    • https://cdn.sqhk.co/tizesefetus/dicgims/budetolovabitoxafe.pdf
    • https://cdn.sqhk.co/rovonoset/jhFlheZ/tijalakete.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wizidimawag/66224548809.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e44f.bin
6fa74536d5919898de7f364b48ed30813f845be396f31eb1a161268fd3018f3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE44F 5664 bytes
font_01_sfnt_off0000f795.bin
7bce976b0b4abf78c785f99da96f748c2bcdbd600bbcbcf5d895aba0e1f6f248		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF795 11296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.