Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc746483c170623b…

MALICIOUS

PDF

90.7 KB Created: 2021-04-02 18:18:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c9b8f8be6c22fb7b55ae855e99b6a26 SHA-1: b8c5ffced54012e1d5d0ef87b374d43090656fee SHA-256: bc746483c170623b70900ff0e9445afed3da735af6ca6eb11b3bb4ad8fd7ea09
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded URLs that are likely part of a phishing or malware distribution scheme, masquerading as a free book download. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the presence of external URIs suggests the document is designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=rational+choice+in+an+uncertain+world+free+pdf
    • http://jesiwufap.iblogger.org/xozuwi.pdf
    • https://cdn.sqhk.co/pumapajewa/dnhhRZt/31585314172.pdf
    • https://cdn.sqhk.co/fuguwaso/hkRTZ77/oneplus_launcher_keeps_stopping_oneplus_7.pdf
    • https://cdn.sqhk.co/mugejufunij/tecjhgi/hercules_roadeo_rampage_26.pdf
    • http://kixetojonomezad.22web.org/how_to_use_sd_card_on_samsung_tab_a.pdf
    • https://cdn.sqhk.co/jakofawesavo/Iohjajg/bilijexewuzekuruxilila.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mijumomub/perafoduxawibenupalus.pdf
    • https://uploads.strikinglycdn.com/files/97b62eb7-30a8-4949-86af-1a1027b60fb0/ximijufo.pdf
    • https://uploads.strikinglycdn.com/files/3377a973-16e2-426c-a370-9148d677a276/19592510225.pdf
    • https://e7e1611e-f78d-4dfd-b5ce-3be5f579732f.filesusr.com/ugd/4b76a6_4102d7ecdc804570b77f1cfd8b60048a.pdf?index=true
    • http://vedulojut.epizy.com/how_to_get_rid_of_phobias_in_outer_worlds.pdf
    • http://dojiseb.epizy.com/invitation_letter_for_ghana_visa_template.pdf
    • https://s3.amazonaws.com/rexogeguxosix/47902504775.pdf
    • https://uploads.strikinglycdn.com/files/96d5cef2-7158-4b21-879c-b51f4350f7a7/notejik.pdf
    • https://uploads.strikinglycdn.com/files/c851ea35-7f97-40ef-bfe2-4be25ec6dd3f/livro_gramatica_ingles_cambridge.pdf
    • https://uploads.strikinglycdn.com/files/f342e0b4-a67f-4dc1-8be5-62663f0dd703/thinking_mathematically_7th_edition_download.pdf
    • https://492f55f4-3442-4b37-b17e-39d9f2f0ae8a.filesusr.com/ugd/7dfe85_920dfca4bd634dda9dd1501ff63635e8.pdf?index=true
    • https://c9107794-7b31-4e5c-84de-5db174abdfaa.filesusr.com/ugd/aabf5f_2d96e8d8d61245a787201223cba15638.pdf?index=true
    • https://s3.amazonaws.com/xuzed/anthropology_indrani_basu_roy.pdf
    • https://4cf2acc4-d143-4013-a78d-f21de0873c4f.filesusr.com/ugd/e4636f_5d54ab5710e04a5a83a34494486d38a2.pdf?index=true
    • https://51f47fa2-20f7-4ec4-bb91-8ae4aee689b4.filesusr.com/ugd/917232_41eb90e766c045a9aab2841d77a04412.pdf?index=true
    • https://s3.amazonaws.com/muwomapotumugi/resumen_de_romeo_y_julieta_por_capitulos.pdf
    • https://75e6061f-eb7a-4ce8-b546-077bf96366c3.filesusr.com/ugd/2dfd19_bf34cef8349946bf9f3611307d0c9652.pdf?index=true
    • https://1eba3b37-3dce-45e8-aa15-e51a58efc0fe.filesusr.com/ugd/89e37c_fe9678195936465fa5518c95ae621e90.pdf?index=true
    • https://s3.amazonaws.com/vavale/migeruzisisexewuwusefamuv.pdf
    • https://254b3b0b-79dc-4992-827c-fd4bb3db3178.filesusr.com/ugd/f515ca_6353b4a65b1b4bf19f460d21d4650814.pdf?index=true
    • https://61df3396-90b5-4b69-a3ae-475c9da6ebc5.filesusr.com/ugd/516574_bc2ba2d7dde94348a4b7b95792b20a86.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000122e1.bin
b7b12790083f6a6c2959104866f867d7ddd9715e98b3c2989d4da92cb25eb0b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122E1 5164 bytes
font_01_sfnt_off00013486.bin
bda28c220489b2e580cd12789a1f5fcb81dd4f3e68894476531be8e521fb2363		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13486 11528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.