Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0b47eea57c8a876…

MALICIOUS

PDF

77.3 KB Created: 2021-03-22 15:53:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f632998535f93e3189d618e0d9167c72 SHA-1: 7f29cca64e15c2684de427591d83b6631838a51a SHA-256: c0b47eea57c8a876ab385cdfd2a4c5bd3364f8862b50b470d9bb36bfb7ed7326
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1190 Exploit Public-Facing Application

The file is identified as malicious by ML classifiers and ClamAV, and exhibits characteristics of a phishing lure. The embedded URL and the document's content suggest an attempt to trick users into bypassing verification, likely to steal credentials or MFA tokens. While no scripts were explicitly extracted, the PDF format can embed JavaScript for malicious actions, and the presence of external URLs indicates a potential for further payload delivery or redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=bypass+app++verification
    • https://cdn.sqhk.co/fuvebopeweb/BeB7jbI/86649397189.pdf
    • https://cdn.sqhk.co/fugovigul/hiUnjiM/world_builder_games_switch.pdf
    • https://cdn.sqhk.co/tidilotofuka/Sgg9Egr/defogari.pdf
    • https://cdn.sqhk.co/vawadawuleja/c16jhZs/baby_monstera_plant_price.pdf
    • https://cdn.sqhk.co/zoxunoromi/Gdijjdr/girezatelaner.pdf
    • https://cdn.sqhk.co/pininipata/db8icjJ/smashy_road_online_free.pdf
    • https://cdn.sqhk.co/mapetidul/ifih0gf/golabavofimijuluwo.pdf
    • https://cdn.sqhk.co/kaxejelun/edhihaD/tejagijalo.pdf
    • https://cdn.sqhk.co/ninulekuto/cN2gfji/kekixubobafupagureziwesub.pdf
    • https://cdn.sqhk.co/raxuzuvuluf/vCpiguN/multicraft_free_miner_apkpure.pdf
    • https://cdn.sqhk.co/jekefebiba/SjeZHo1/klondike_solitaire_download_for_windows_10.pdf
    • https://cdn.sqhk.co/duxapotor/Qqa6gfW/fly_hawaii_mod_apk.pdf
    • https://cdn.sqhk.co/pulisamog/MVTgjOP/lewozupetaroseweluje.pdf
    • https://cdn.sqhk.co/pofoxubo/sbnhcic/crossfire_x_ps4.pdf
    • https://cdn.sqhk.co/jejekije/geBWiap/774764296.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/35dced38-4255-4741-8960-41df8f3fc632/27390037240.pdf
    • https://s3.amazonaws.com/dupula/wijabopuwuw.pdf
    • https://s3.amazonaws.com/kegovev/12608463752.pdf
    • https://s3.amazonaws.com/tenunud/mixogenimum.pdf
    • https://s3.amazonaws.com/fenatagazise/purelobejo.pdf
    • https://uploads.strikinglycdn.com/files/b4a89967-ad53-4392-8ba6-935b66f9c4a4/27098633453.pdf
    • https://s3.amazonaws.com/tedowafomaru/8302395376.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f0db.bin
3f063c103557eca3b392c616d4e5b49b98f2721ea2decaf6159a83e4da4d4f61		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0DB 5188 bytes
font_01_sfnt_off000102a7.bin
03560930d09a040c569766a44af253ae8d3a3930f18bae7b24775deb34a32515		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102A7 11020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.