Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac259f280dab638f…

MALICIOUS

PDF

73.2 KB Created: 2021-03-20 10:31:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1240140df3a652116c40b4a578a8d95 SHA-1: d0b67f12a4d79fd298284af63d4f12250b6751ac SHA-256: ac259f280dab638fdb4f8f81752290811e8332c84fd9425f0bcad09102ade9b2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with a high risk score. It contains an embedded URI pointing to a suspicious domain, which is likely used to redirect the user to a phishing or malware distribution site. The document body appears corrupted, suggesting an attempt to obscure the malicious content or exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=beerappa+jeevitha+charitra+naa+songs
    • https://static.s123-cdn-static.com/uploads/4482002/normal_5ffb27d00e4a2.pdf
    • https://cdn-cms.f-static.net/uploads/4503033/normal_60240745057ee.pdf
    • https://tidevaxapoled.weebly.com/uploads/1/3/5/9/135971763/fd9b3b3bae995.pdf
    • https://static.s123-cdn-static.com/uploads/4403260/normal_5fcb012426de3.pdf
    • https://bizitodavil.weebly.com/uploads/1/3/4/3/134321392/4654019.pdf
    • https://cdn-cms.f-static.net/uploads/4473637/normal_60214f80db3c4.pdf
    • https://cdn-cms.f-static.net/uploads/4460070/normal_6015837316545.pdf
    • http://tepugorotewole.medianewsonline.com/how_to_reset_my_rv_thermostat.pdf
    • https://cdn-cms.f-static.net/uploads/4488323/normal_602581e7a33f0.pdf
    • https://cdn-cms.f-static.net/uploads/4382771/normal_5fd1e8c8102ef.pdf
    • https://static.s123-cdn-static.com/uploads/4417537/normal_5feb1f5cb71ba.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wujanozo/74091477393.pdf
    • http://madigekole.onlinewebshop.net/83481515130.pdf
    • https://s3.amazonaws.com/satedafadusizo/blur_background_photo_free.pdf
    • https://3b044092-e341-4c69-a8e2-52b14fc1865f.filesusr.com/ugd/370021_881b093f34344048beb4451bb0124a76.pdf?index=true
    • https://s3.amazonaws.com/boduxatavepe/latest_bollywood_movies_2015_free.pdf
    • https://d73c234d-0e3d-497d-8108-d5659bace061.filesusr.com/ugd/58a813_b5138f3faebe4066a7dd1d2bcef2027f.pdf?index=true
    • https://e028ba52-6c86-493e-86b7-fecf7cd1c3eb.filesusr.com/ugd/bcb9fd_8c43d369ba5445e4874d883ee1b2dad6.pdf?index=true
    • http://dapibudajemuk.atwebpages.com/how_many_calories_in_wendys_large_chocolate_frosty.pdf
    • https://c18d7360-3707-4bf1-9d6f-52ba7510fa17.filesusr.com/ugd/76cb06_b581fb0b74604d9ebca661ec6026271a.pdf?index=true
    • https://91506351-5699-48ce-85e7-8e7d071f4e87.filesusr.com/ugd/d775a9_70f6d40e30864b2a91d7eab3aa046303.pdf?index=true
    • http://tuzuxutetug.atwebpages.com/15554672368.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e020.bin
9b6555127e21d883786e2ebbfa610d39a86fc5b0f9dae47ff40a89526c362fe2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE020 5348 bytes
font_01_sfnt_off0000f25a.bin
c3734b8e138c316b10b293a052f765df0e4f1be1ebac5c694c00b10d10747983		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF25A 10728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.