Malicious PDF — malware analysis report

Static analysis result for SHA-256 c221fd276505be85…

MALICIOUS

PDF

425.1 KB Created: 2021-03-05 19:06:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 750ce18eb1528008390e0c30d900fdf2 SHA-1: b2d0c9f62e13146a06afcaf671efc4cc744b4f68 SHA-256: c221fd276505be85b5a4e0edb4a149858aff2c0d997f76ac8ddb14a5aa5212e9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, and ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests malicious intent. The document body, though heavily obfuscated, contains text related to a physics textbook download, indicating a lure. The presence of embedded URLs and the overall detection profile align with a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9040

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/aws?utm_term=nelson+physics+12+textbook+pdf+download
    • http://microbestdigitalmeter.xyz/13248360208alcly.pdf
    • https://static.s123-cdn-static.com/uploads/4453098/normal_5ff97e14cfe97.pdf
    • http://naturalm.space/26645944501if3jl.pdf
    • https://cdn-cms.f-static.net/uploads/4485163/normal_5fd6c645bbeb1.pdf
    • https://cdn-cms.f-static.net/uploads/4367656/normal_6021f83217601.pdf
    • https://cdn-cms.f-static.net/uploads/4417023/normal_601d512769a7a.pdf
    • http://p-kavkaza.ru/ceiling_function_in_crystal_reportse0hwm.pdf
    • https://cdn-cms.f-static.net/uploads/4478928/normal_6022dccdc879d.pdf
    • https://cdn-cms.f-static.net/uploads/4408336/normal_60339ea7209ec.pdf
    • https://static.s123-cdn-static.com/uploads/4489975/normal_5ff95e30a1835.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/3196703a-8592-4868-a8af-6f9771fe19b3/96748606451.pdf
    • https://s3.amazonaws.com/pajukovuxetu/2036449791.pdf
    • https://s3.amazonaws.com/mokuwanibof/webadivikusewuwugezebeba.pdf
    • https://667b589a-70dd-4c78-a03f-47f6e9f07b1f.filesusr.com/ugd/db80c5_31240cb284af4c2699764970b22dbd6c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5224d8e0-e6ca-4f85-8023-48791391e357/rapibe.pdf
    • https://s3.amazonaws.com/jupudizadid/cimb_corporate_governance_report_2018.pdf
    • https://s3.amazonaws.com/fewunadupop/84698724792.pdf
    • https://s3.amazonaws.com/safago/gavaguruki.pdf
    • https://uploads.strikinglycdn.com/files/319bda40-2ac0-44f4-8af4-88f05f49f0b0/43388189601.pdf
    • https://uploads.strikinglycdn.com/files/2abb4fab-9dc5-4bac-994e-665bdd13a790/92662730890.pdf
    • https://97a45c9e-1ab5-462a-bfe2-fded34b9a8b9.filesusr.com/ugd/b50c55_ba5008671f4b4dc4ae3334b706ae6578.pdf?index=true
    • https://37bdae34-bb2f-403f-997c-54a7c09d9c06.filesusr.com/ugd/dc98cc_dfec0547b97e46e0b09725b577a2d796.pdf?index=true
    • https://88749095-6fd7-453f-8e8a-15b48fe47dd1.filesusr.com/ugd/e4d7df_5468570a42214fc99302b918d96547b2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00062342.bin
e56bd9a85f7ebbe1738bab89341b1206d5ba92d966872ae41cd79d417d6ad1e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62342 5552 bytes
font_01_sfnt_off0006360b.bin
1d810ca728920ecb4425f912622210802cb3cafef3aefffcc96ee8b269a525ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6360B 1188 bytes
font_02_sfnt_off00063ce3.bin
4ca5e12ddb074f84065b4c25503bae1bb01e23ae12dc9de75709f0c2176516f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63CE3 15920 bytes
font_03_sfnt_off000670c9.bin
b8987608e74429a43279b631473b10a6179940079cd95b4bb6a6b0e3dc58894c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x670C9 16192 bytes
font_04_sfnt_off000685f4.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x685F4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.