Malicious PDF — malware analysis report

Static analysis result for SHA-256 adf169f4e5f2a989…

MALICIOUS

PDF

83.5 KB Created: 2021-03-21 08:54:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a612ca92d8492ca86998a8f0302dd34f SHA-1: ed75f1bd675bf59b7f072213403e2d056b8ae18b SHA-256: adf169f4e5f2a989add6f3856a4367b3c88a238cae92f725571f7cca8ed5a8f1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, which is highly indicative of a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly support its malicious nature. The document body, though heavily obfuscated, suggests a lure related to exam preparation, aligning with common phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=crisc+exam+prep+course+pdf
    • https://static.s123-cdn-static.com/uploads/4450724/normal_5fc835169baf1.pdf
    • http://hookup668.site/how_to_get_a_letter_of_recommendation_from_a_congressmanehi3r.pdf
    • https://cdn-cms.f-static.net/uploads/4417662/normal_600d55fa46392.pdf
    • http://galajikimozupu.iblogger.org/parestesia_concepto.pdf
    • http://zazonowipudu.66ghz.com/xifekimiwagijimukamexuz.pdf
    • https://cdn-cms.f-static.net/uploads/4373987/normal_602b49cf39147.pdf
    • http://sijowusim.22web.org/chronicles_of_narnia_1_free.pdf
    • http://nout-prodat.site/2362598592858dti.pdf
    • https://static.s123-cdn-static.com/uploads/4482617/normal_5fcf79d859390.pdf
    • http://befenero.22web.org/paediatric_fluid_resuscitation_guidelines.pdf
    • http://itawegan.fun/burger_king_breakfast_burrito_carbsvmq8s.pdf
    • http://pakekoramiduwin.getenjoyment.net/adam_parfrey_apocalypse_culture.pdf
    • https://static.s123-cdn-static.com/uploads/4464522/normal_5ff5b35f36848.pdf
    • http://nepatokada.mypressonline.com/easy_crochet_blanket_tutorial_left_handed.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wiwekire.epizy.com/xevoregepono.pdf
    • http://jizizubusede.epizy.com/screensaver_video_hd.pdf
    • https://8767aa75-4bd5-48c0-94ca-24e983238001.filesusr.com/ugd/debdc1_a2950b20bb054c708477acd9ff86339d.pdf?index=true
    • http://pasifowon.atwebpages.com/59151466428.pdf
    • https://ecf8b3bd-8201-449f-a39c-156acd88681e.filesusr.com/ugd/97634b_3745c27aba1a4d94b6fa126d6e38173d.pdf?index=true
    • https://1347de4c-4e54-429a-b84c-372e60bc5a2b.filesusr.com/ugd/6c98bc_2b737333f6c24b4c8f1007adfa0129e7.pdf?index=true
    • http://befadiw.rf.gd/what_are_the_16_personality_types.pdf
    • http://vikaviruvumuz.epizy.com/72251459058.pdf
    • https://42e65457-ec34-4553-8979-78b6e302f774.filesusr.com/ugd/f1976d_1588bb0fecfd43daa0478895103bcdf6.pdf?index=true
    • https://6c036dbd-b327-4678-b778-de8a2ee7bb50.filesusr.com/ugd/ed64d2_e018cd182f6245d9a94b90cf15be7625.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f215.bin
9052914008b572a483e4fea8ad52fb16c76ccce2d8a6648d26d498bff7b006dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF215 5244 bytes
font_01_sfnt_off000103d9.bin
6e45b90f2253939ef124817a2537dd174e9ea96e258df0499aa48e17e2baf52d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103D9 11560 bytes
font_02_sfnt_off00012b6a.bin
ea75db71c9df7250347a03039f742fcd189f5fc3f08964e696816fa8b5227073		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B6A 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.