Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6e53879a27d4eb9…

MALICIOUS

PDF

84.4 KB Created: 2021-03-10 14:40:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00bd0e4e14bb6e91646f5b21fa7c84f3 SHA-1: 73262c4fd992ee08f072ee7d63380d5c1db9fdc5 SHA-256: b6e53879a27d4eb9619f0bd149c0c81972f0f20badb8ac202786b99e3b89ac4b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URL pointing to 'zajinet.ru', which is likely used as part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to downloading an ebook, aligning with common phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=php+complete+reference+ebook+pdf+free+download
    • https://cdn.sqhk.co/pagozixupezi/hWiipIs/sonny_acres_dog_friendly.pdf
    • http://begetus11ppz.xyz/xalavepuwowudunifadaky0wff.pdf
    • https://cdn.sqhk.co/vuvupewog/ogiz20U/tower_defense_unblocked_minecraft.pdf
    • http://istra-backwater.ru/552010804843wtod.pdf
    • https://cdn.sqhk.co/napumefu/TyhgIhg/mechanical_engineering_technology.pdf
    • https://cdn.sqhk.co/tixunudixa/jAAgDhc/cru_nantucket_restaurant_week_menu.pdf
    • https://cdn.sqhk.co/minederepa/dtHGecP/wopekixaxemimafixuji.pdf
    • https://cdn.sqhk.co/pulazapusaw/tgfrjiz/87407672665.pdf
    • http://prodson.fun/what_is_the_closest_brandy_melvillexp2mf.pdf
    • http://tb-films.ru/fegemupikubiwidoriresdybp.pdf
    • https://cdn.sqhk.co/savageven/ejhjaij/business_audiobook_mindset_problem.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/25cfdb8a-e751-46ce-b788-5b671e26696c/zofetolulowomeva.pdf
    • https://650c977b-0274-48a2-8498-43c0efc39f4e.filesusr.com/ugd/dbad32_d96989f97a3c41f3abeaea38befdd921.pdf?index=true
    • https://fbaba6ab-37cf-477f-82bd-e10a416eccda.filesusr.com/ugd/3c8574_13ee46f2cf4b482e94e8264f1f6b53bd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f1545122-02c5-445e-8e80-adb6c5f4e957/zixosatisezavuvug.pdf
    • https://uploads.strikinglycdn.com/files/e01d17d1-5fdb-499d-a097-f1b717e87abd/how_many_lines_does_lord_montague_have_in_romeo_and_juliet.pdf
    • https://uploads.strikinglycdn.com/files/c7a7a24f-943f-4ddb-9929-645da612150f/rosemarys_baby_2014_review.pdf
    • https://089130c0-62ae-4bf1-a93c-656440fe8451.filesusr.com/ugd/738632_c61d7305075641f4a75ead15c06fa4c5.pdf?index=true
    • https://b70645e9-42d7-44c6-80f2-f165c8819e8d.filesusr.com/ugd/3f1130_c9adc566e3b144c2b705e6366a216e6f.pdf?index=true
    • https://71f68c9c-1037-483c-a0ca-f268b7ddd3c8.filesusr.com/ugd/87fdc7_3adaf7ecf8a34333afa2c3352a7a14c8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/93eb0940-c05e-4cac-be63-a8d02e52de64/craftsman_lt1000_battery_walmart.pdf
    • https://d89a15f7-21b5-45f0-b9b4-bc5b7be68842.filesusr.com/ugd/18e821_23a7fc93c6cf4206b0703748cac662a6.pdf?index=true
    • https://a3de454e-1598-42bb-a259-4eb69c42f179.filesusr.com/ugd/fb5067_6a11b5f469c3413283d539ed7a6c680f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100a6.bin
19a359ee668d12302c946f52f0f320d681531d6cdc13b94a8e59cdd7001aa0ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100A6 5252 bytes
font_01_sfnt_off00011259.bin
04a07a5c9175958b1546a250b6b5a2ae4283c1a0d7ad2160d36641ed2023a403		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11259 10256 bytes
font_02_sfnt_off00013576.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13576 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.