Malicious PDF — malware analysis report

Static analysis result for SHA-256 c297d3b8000e9da4…

MALICIOUS

PDF

159.3 KB Created: 2021-03-22 14:47:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 568ec487df02910b47ad1f5b92afdfeb SHA-1: 784238055385e1079ee64002f1ae6a50dde7ed68 SHA-256: c297d3b8000e9da471e3e8e25f33f3dca0efe6a9f9ae41cda1b10005a2fda209
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as a malicious PDF by ClamAV and a machine learning classifier. It contains an embedded URL pointing to a suspicious domain, likely intended for phishing or malware distribution. The PDF structure and embedded content suggest an attempt to disguise malicious activity, possibly related to a fake product manual or support lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=liftmaster+41a4252-7c+remote
    • https://cdn-cms.f-static.net/uploads/4365608/normal_5fe62c4f596c3.pdf
    • https://static.s123-cdn-static.com/uploads/4465259/normal_5fd051d2d1493.pdf
    • https://cdn-cms.f-static.net/uploads/4495837/normal_6032a5b395b9a.pdf
    • http://foyou.store/duralast_50_amp_battery_charger_and_engine_starter_manualvmdx9.pdf
    • https://cdn-cms.f-static.net/uploads/4454184/normal_600dbee86f2fa.pdf
    • https://cdn-cms.f-static.net/uploads/4366980/normal_604687ee7d9c3.pdf
    • http://zespodsvetkoy.site/fezulajetujowajizabanasxolew.pdf
    • https://static.s123-cdn-static.com/uploads/4462344/normal_5ffd245a348ac.pdf
    • http://sfhgfje5df.xyz/876109038211ns0q.pdf
    • https://cdn-cms.f-static.net/uploads/4469841/normal_602039c0567fb.pdf
    • http://onkoprofi.ru/1996_ford_555d_backhoe_for_saleyubui.pdf
    • https://static.s123-cdn-static.com/uploads/4369494/normal_5ff94bc1b36e6.pdf
    • https://static.s123-cdn-static.com/uploads/4416494/normal_5fe264d2dae44.pdf
    • http://ihsteam.ru/lee_child_jack_reacher_books_in_date_order6rt07.pdf
    • https://static.s123-cdn-static.com/uploads/4416786/normal_5fdd43981fa02.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bfa32935-90c5-48d7-b102-98b7f4777aaa/kaxorarulolowujimi.pdf
    • https://uploads.strikinglycdn.com/files/37fb2310-cce4-4a9f-ba9c-fc70f5b947a1/68926561097.pdf
    • https://uploads.strikinglycdn.com/files/f5a4d0f5-5c0b-4589-830c-e988eaacd807/what_is_the_story_dark_they_were_and_golden_eyed_about.pdf
    • https://uploads.strikinglycdn.com/files/126957c2-dfde-4b9b-9b20-222911bb5fd5/how_to_teach_a_child_listening_skills.pdf
    • https://uploads.strikinglycdn.com/files/27e2815e-2441-4b4a-a69e-bffde3132d2b/dunkin_donuts_chocolate_covered_donut_calories.pdf
    • https://uploads.strikinglycdn.com/files/e9c0f079-321a-47f2-980f-44e2b1c17be1/tosotukoluge.pdf
    • https://uploads.strikinglycdn.com/files/d608d359-2c4a-49dd-ada4-848cf8941dce/nibusogejudekozitenaweta.pdf
    • https://uploads.strikinglycdn.com/files/5e301da7-ffda-455e-a04d-aaa53a54df94/57947909917.pdf
    • https://uploads.strikinglycdn.com/files/22c2329e-e199-4341-9773-34c7c3b6615c/how_to_use_quizlet_app_on_iphone.pdf
    • https://uploads.strikinglycdn.com/files/5c178af9-f975-4abe-81c6-fbd13237ef5c/80663542800.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002336c.bin
fbb6ae9184e05b7592e1ef07e09007a7cac249684682242a1567fcf206b8fcba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2336C 5444 bytes
font_01_sfnt_off000245fc.bin
bd1ea3a02179e3f2662a9d0ca28aa92441f3fe1549f5e991412e568dcb328d0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x245FC 11600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.