Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad9d8d83ab06cf72…

MALICIOUS

PDF

90.0 KB Created: 2021-07-06 08:10:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 09de78c8f6db8459ecd07495a06481c4 SHA-1: 41e82b491b42371121523d664ec503a547ffdfb6 SHA-256: ad9d8d83ab06cf7224cd9d530376e9686e49cfc055792a9aa8ddd59387af337e
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The presence of an embedded URI pointing to 'https://inwebjor.ru/uplcv' suggests the document is designed to redirect users to a malicious site, likely to download a second-stage payload. The 'SE_URGENCY_LURE' heuristic further supports a phishing or social engineering attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/uplcv?utm_term=itzykson+and+zuber+pdf
    • https://kolodezrus.ru/wp-content/plugins/super-forms/uploads/php/files/a9342dfd71c42db46f97e3c5657bffe0/bitezopo.pdf
    • http://www.supercarrentalsofmiami.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac68b1af68e---tujumijuxex.pdf
    • http://schodylux.pl/userfiles/file/lijopunidu.pdf
    • http://graphicon.hu/wp-content/plugins/formcraft/file-upload/server/content/files/1608e1fffba10f---41764513070.pdf
    • https://www.tessilgiada.it/wp-content/plugins/formcraft/file-upload/server/content/files/16072001f25f30---xaxukegazapenefesunul.pdf
    • http://www.191seo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c65a9f83349---varuwokinovavigamokuveze.pdf
    • http://digifast.cz/userfiles/81513014404.pdf
    • http://www.medicalalliedtraining.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abfab00606b---sutizosozuranafo.pdf
    • https://iamtimeshare.com/userfiles/file/vunuzif.pdf
    • http://agcslohian.com/userfiles/file/67051530994.pdf
    • http://clinicacomciencia.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160a0a11cd7dcb---sefega.pdf
    • http://cohensevents.com/clients/74638/File/62328358945.pdf
    • https://www.hdcorp.com.br/wp-content/plugins/super-forms/uploads/php/files/snu9p7rba2bhq2bmdfcc1ak2h9/61395058195.pdf
    • https://pabausa.org/wp-content/plugins/formcraft/file-upload/server/content/files/160985832c4cbf---6577484942.pdf
    • http://www.communityheroesproject.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607cc8f1e8339---64695473465.pdf
    • https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a3efd34c059---24094558981.pdf
    • http://fashioncenterpoint.com/wp-content/plugins/super-forms/uploads/php/files/03b4dad766bcd03e47539ef5eae82ab3/lerujetogavur.pdf
    • http://kaplanpm.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e3bfbd5ae8b---karaj.pdf
    • http://pck.malopolska.pl/wp-content/plugins/super-forms/uploads/php/files/c6ac904176487723bd205128af1b0afc/23339334246.pdf
    • https://sipsib.ru/wp-content/plugins/super-forms/uploads/php/files/4b523f1baf3d4986ec7b7bdd2c5df09e/22021643231.pdf
    • http://curry-box-deluxe.de/userfiles/file/47465060399.pdf
    • https://www.medicalart.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1609c45c960438---9776052669.pdf
    • http://the100voicesofgospel.de/fichiers/newsletter/file/47949223734.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f928.bin
8042c8df3b6474a7ed82ed6169d72121db4d8ee4aedfbc908037b7060711c936		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF928 18088 bytes
font_01_sfnt_off000128b2.bin
3a6faf91c3ec526ee241154cd65cb78004c5f2fb399a37b25cfb80289ad19bda		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128B2 10812 bytes
font_02_sfnt_off000141a1.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x141A1 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.