Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8ce55d32dda58e1…

MALICIOUS

PDF

85.6 KB Created: 2021-03-11 04:23:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17ff54a332b5d5cc4008a7a0778367f9 SHA-1: dcc16c9b3aa39c4dae64e57c34860f5a5a747eb5 SHA-256: b8ce55d32dda58e17445e84ad0f542be4ec1b62295d18a6ad14d93733080fcf3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URI pointing to a URL that mimics a truck service manual, suggesting a social engineering lure. While no scripts were explicitly extracted, the PDF structure and embedded URI indicate an attempt to redirect the user to a malicious site, likely for further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=4300+international+truck+service+manual
    • https://cdn.sqhk.co/gejupajo/jbTaazF/2505893519.pdf
    • https://static.s123-cdn-static.com/uploads/4473047/normal_5ff23676ebdb8.pdf
    • https://cdn.sqhk.co/fusozuwalas/jjfjgjc/ladozekel.pdf
    • https://cdn.sqhk.co/butiluluvuk/YjhGicL/transfer_paper_for_vinyl_dollar_store.pdf
    • https://cdn.sqhk.co/tevosenijosu/iiWNjhb/movie_maker_app_free_download_for_android.pdf
    • https://cdn-cms.f-static.net/uploads/4384835/normal_6023e8c943713.pdf
    • http://duzegipim.22web.org/48202583967.pdf
    • http://zupedaganivo.66ghz.com/20454745326.pdf
    • https://cdn.sqhk.co/pabefidinaz/azehqsc/cheapest_6_pack_of_beer_near_me.pdf
    • http://nokirixako.iblogger.org/logos_vs_rhema.pdf
    • https://static.s123-cdn-static.com/uploads/4506159/normal_5ffb8420981b1.pdf
    • https://cdn-cms.f-static.net/uploads/4502870/normal_6035dd9e398c0.pdf
    • http://dakolozen.22web.org/90132082998.pdf
    • https://cdn.sqhk.co/divojimo/2snijgu/wire_size_chart_awg_to_mm2.pdf
    • https://cdn.sqhk.co/woteruzid/3o2vmjf/pinubiwaruvimabojot.pdf
    • https://static.s123-cdn-static.com/uploads/4387933/normal_60023636a73eb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gujodelabugujaf.rf.gd/kirizuw.pdf
    • http://guxovoxed.rf.gd/linux_operating_system_list_2020.pdf
    • https://s3.amazonaws.com/lorugipopuxe/android_watch_2018_amazon.pdf
    • https://s3.amazonaws.com/viboxikuz/thanksgiving_analogies_worksheet_answers.pdf
    • https://s3.amazonaws.com/bitajemisajoz/baar_baar_dekho_full_movie_hdfriday.pdf
    • http://kejutox.rf.gd/pdf_to_word_converter_online_full_document.pdf
    • http://fokotizemol.rf.gd/xutediliwokabeti.pdf
    • https://s3.amazonaws.com/vuliwisuwig/77027992851.pdf
    • https://s3.amazonaws.com/zifilobesumafi/how_to_learn_stock_market_trading.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000107ff.bin
7bd538567f8fb793020e913125028353c1c453e80cedb1d66116462ae4ca0714		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107FF 5368 bytes
font_01_sfnt_off00011a3a.bin
867253d262e8af9822a418e618544c472fe585e462c3776d56e22e9791fd93ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A3A 14880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.