Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5fd1fb41789f494…

MALICIOUS

PDF

79.8 KB Created: 2021-03-18 12:06:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 302c4a894ff8450cdcf5c9b08e094f4f SHA-1: d375ad8aeba47bfe3690485bc6df22cbb867f519 SHA-256: b5fd1fb41789f494f2391188dc4352e129bc3bb4a4a322195a6cb91b1fab3439
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded URLs, with the primary one being https://maypoin.ru/wix?keyword=discovering+economic+systems+worksheet+answers, suggesting a phishing or redirection attempt. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution. No scripts were extracted from this sample, but the presence of external URIs and the document's structure point towards a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=discovering+economic+systems+worksheet+answers
    • https://cdn.sqhk.co/viwitukaz/jgUijic/12279068506.pdf
    • http://zifufarox.getenjoyment.net/56882155789.pdf
    • http://pasipodo.mypressonline.com/74503564550.pdf
    • http://muxoman.mygamesonline.org/analog_computer_examples.pdf
    • https://cdn.sqhk.co/susiwozobo/gfhjhgd/wugojusoxagovarevajo.pdf
    • https://cdn.sqhk.co/gupimupiset/3Njcy8n/wifi_hotspot_software_windows_xp.pdf
    • https://tejifogigevavep.weebly.com/uploads/1/3/4/6/134675995/aa9998996b.pdf
    • https://cdn.sqhk.co/modonasuje/aGgh6pX/54114681713.pdf
    • https://cdn.sqhk.co/fasisela/ik2hjig/venobudulavu.pdf
    • https://vakexojukesazi.weebly.com/uploads/1/3/0/9/130969985/nuwadikef-gewusijopexalim.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wugujub.onlinewebshop.net/sangean_rcr_5_digital_am_fm_clock_radio_manual.pdf
    • https://6997f972-013f-4c6f-ac95-4179ba17a557.filesusr.com/ugd/549e1a_31c4901921514213b24a5dcc69b9208d.pdf?index=true
    • https://0ac950e2-707a-4e47-8bf4-daface0ea9db.filesusr.com/ugd/356f11_4c067dd029394932a192bc17f1061d32.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3995cd65-b154-4750-93d0-8cbbc1b53ab4/bogakolumakafibe.pdf
    • https://uploads.strikinglycdn.com/files/e3dac1c7-c3bc-4bb6-8e66-7923012bddde/properties_of_exponents_worksheet_8th_grade_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/4668593b-ebfd-484a-a213-26699b6f18e3/5611250473.pdf
    • https://s3.amazonaws.com/ziwuvijevo/champion_gasket_sheet_3mm.pdf
    • https://s3.amazonaws.com/wolina/midland_75-822_handheld_cb_radio_manual.pdf
    • https://12f7643e-9106-4823-89c2-0bdaecd1bc22.filesusr.com/ugd/1f6d71_ab290e6701b44030a27c31df62817273.pdf?index=true
    • https://s3.amazonaws.com/fekazudabo/formal_email_example_complaint.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8d5.bin
6261a011b5b1c324d25bca678121d02dd29b784d086d73f80150c3dd1957d26e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8D5 5496 bytes
font_01_sfnt_off00010b80.bin
6ebfb6666081e801845d938a06b313709fccf9224e7a44d26426f6273116bfb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B80 11248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.