Malicious PDF — malware analysis report

Static analysis result for SHA-256 b599cc6411eafcf3…

MALICIOUS

PDF

88.4 KB Created: 2021-04-24 15:48:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6ca57d6cec8641c731826456ee7449f1 SHA-1: 20e333bb8e5e5b98ccf4f9e3cd96e18422350c1b SHA-256: b599cc6411eafcf3c7196f161680c15dd9c90e1e1c43e51444727aa9fe956e37
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an external URI pointing to a suspicious domain, which is a common tactic for phishing lures. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to a malicious site, likely for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=the+witch+off+robin+hood+prince+of+thieves
    • http://lnstagramverifiedbadgeservice.com/what_is_z_score_for_98_confidence_intervalqirq6.pdf
    • https://cdn.sqhk.co/litopozuf/vXWOpgd/wristband_mockup_psd_free.pdf
    • http://rm-swis-mine.com/19353081044itrzj.pdf
    • http://didopikorubozav.iblogger.org/side_by_side_third_edition_book_2.pdf
    • http://istlan.fun/barif1xcga.pdf
    • http://milanbeachs.space/3591496487699vgi.pdf
    • http://moderivapotilos.22web.org/maxasome.pdf
    • https://cdn.sqhk.co/pixafosabow/fjfjigg/13175837250.pdf
    • http://krokoboko3.xyz/brave_frontier_female_charactersa26gp.pdf
    • http://ezfix.asia/bumizevanivezesenuwebanv79eo.pdf
    • https://cdn.sqhk.co/xodakebebit/jZia1kq/escape_plan_movie_cast.pdf
    • https://cdn.sqhk.co/sipebesoxu/CbT1ghp/everfi_module_5_credit_scores_answers.pdf
    • http://vibuluvizawo.66ghz.com/definicion_de_rectilneo_uniforme_en_fisica.pdf
    • http://albatros-trans.ru/replace_charging_port_samsung_s9_plusftw3o.pdf
    • http://nowexevor.iblogger.org/71072180779.pdf
    • https://cdn.sqhk.co/waxoxewanuvi/cyn1Z4V/69987930128.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0d181f6a-2837-430c-91e2-8cd17446f39f/the_way_of_the_shaman_harner.pdf
    • https://uploads.strikinglycdn.com/files/f427f0d0-bb02-4e34-9cc2-81ef6668f384/83065381370.pdf
    • http://luwawabegopit.rf.gd/12007909081.pdf
    • http://kexasejuwodeji.epizy.com/xaxin.pdf
    • http://memonexato.epizy.com/glimmer_in_the_dust_chords.pdf
    • https://uploads.strikinglycdn.com/files/10675696-87e3-4e4c-add9-d4a0ae96cf41/91511394027.pdf
    • http://jinesiwi.epizy.com/allah_ho_allah_ho_allah_gojol.pdf
    • http://mawekipabotore.epizy.com/what_is_dork_diaries_genre.pdf
    • https://uploads.strikinglycdn.com/files/f1738bf0-e7b5-488a-8e42-dbbd906a3837/xofalut.pdf
    • https://uploads.strikinglycdn.com/files/401d1b39-a729-4ad7-a948-8c90b37956ea/besidedofimizenenijexe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011a07.bin
a058379fbaa351d613b74d50aff51ced786fd3e192bdd98507e89ddf58d99824		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A07 5244 bytes
font_01_sfnt_off00012bf2.bin
2f240ed654cb7931dee121ffa071fe147bb09c3ba42bd3b1415b4a06542c2c7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BF2 11828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.