Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6a841a721d78936…

MALICIOUS

PDF

75.0 KB Created: 2021-03-09 16:42:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e8c236d422353ef933542feff1d2e9f7 SHA-1: 71a01542fe5a99ae439e7bb1f746ae886dae005e SHA-256: b6a841a721d7893631b08e2943fd909d796d5349f9eb8d8280d9ac1523832bff
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL, disguised as a search result for a popular book, likely leads to a phishing or malware download site. While no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest an attempt to exploit user trust for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9732

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=scary+stories+to+tell+in+the+dark+book+pdf
    • http://kiritisivasol.mywebcommunity.org/how_much_can_an_interior_designer_make_in_canada.pdf
    • http://sungo1.space/invitation_letter_for_meeting_templatef5zb9.pdf
    • http://kosonetibekub.medianewsonline.com/sivipitabikunitokedorali.pdf
    • http://medicinfo.online/luxor_deluxe_queen_roome3qs0.pdf
    • http://discovljzg.fun/jokes_to_put_in_student_council_speeches0encs.pdf
    • http://antonio-ita.space/dodewufapiridvsrpq.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9c9f1f99-d1bd-4580-ab2b-7f5235a7d3bb/8070673500.pdf
    • https://uploads.strikinglycdn.com/files/4cc3dc60-024c-4fa5-9745-7b99be0fb180/catcher_in_the_rye_chapter_1-5_summary.pdf
    • https://uploads.strikinglycdn.com/files/7b3f2228-6855-42e6-b22f-688950e02195/349434431.pdf
    • https://uploads.strikinglycdn.com/files/a040a1ef-eaf1-452c-99d6-b6b3d2f421e4/why_is_my_samsung_dryer_making_a_screeching_noise.pdf
    • https://uploads.strikinglycdn.com/files/5ad953bc-2c11-4a6a-a71c-0d49ed767068/washington_state_basketball_coach_salary.pdf
    • https://uploads.strikinglycdn.com/files/a966be05-9ec4-4721-b031-f32d2f3452d6/bilibim.pdf
    • https://uploads.strikinglycdn.com/files/62e4105d-99a8-4876-8f17-42eb4e13e7e5/piano_adventures_level_2b_performance_book.pdf
    • https://uploads.strikinglycdn.com/files/3afa336d-9fca-4746-85ef-29ced1979196/section_138_negotiable_instrument_act_amendment.pdf
    • http://kepofif.onlinewebshop.net/dell_optiplex_780_sff_windows_10.pdf
    • https://uploads.strikinglycdn.com/files/9367c575-f7a1-4edb-83e7-ef988cfc117b/bumerumazovemegufezawati.pdf
    • https://uploads.strikinglycdn.com/files/c8514d11-af3e-4344-9e34-4363b6432599/64895221816.pdf
    • https://uploads.strikinglycdn.com/files/a37a8d1b-5fc6-401a-a73e-0c9e2bbf498e/how_to_get_approved_to_trade_options_on_webull.pdf
    • https://uploads.strikinglycdn.com/files/4184dd00-b449-43d6-9a1d-af71a5214ba7/90804011399.pdf
    • https://uploads.strikinglycdn.com/files/3e06d258-19bb-4633-9863-039bf3279344/vibupetozefog.pdf
    • https://uploads.strikinglycdn.com/files/ca4b8449-f065-4933-a271-84ac584db0c8/i_want_to_be_normal_manga.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f279.bin
e6fcac2faaf08d190b7b2078c18ab3df7f07588d0a16387ab46e5e19ed09fb7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF279 5652 bytes
font_01_sfnt_off000105af.bin
35e48f4a6041aabb5486dd34f4e9e5a2f7c69acd34d70618e371d1233c5bcdef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105AF 10276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.