Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2a284b44c8d55af…

MALICIOUS

PDF

100.0 KB Created: 2021-03-06 23:58:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2de3fccd27223d45be2c2ee964bf4059 SHA-1: d99a4c553a58a186ae343216db6879c614f2b320 SHA-256: c2a284b44c8d55af43295eebd71cde854e016b272a5c5bfe3336e15e7c3b8138
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI that points to a suspicious domain, likely for phishing or malware distribution. ClamAV detection and ML classification strongly indicate malicious intent. The presence of external URIs suggests an attempt to redirect the user to a malicious site, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=meowiarty+exalted+gear+guide
    • http://fbcopyright-center.com/86076515836l0fkf.pdf
    • https://cdn-cms.f-static.net/uploads/4485927/normal_602565c77635c.pdf
    • http://lnstagramlivesupportcenter.com/zilovojotirudutosikomolos3m8nr.pdf
    • http://dalaxabupefuli.22web.org/where_to_buy_lonely_planet_books_perth.pdf
    • https://static.s123-cdn-static.com/uploads/4402517/normal_5fc8831e34a8b.pdf
    • https://static.s123-cdn-static.com/uploads/4377935/normal_5ffe8420b3c7d.pdf
    • https://static.s123-cdn-static.com/uploads/4375194/normal_5fc733554c90d.pdf
    • http://coolmag.biz/73299593886g283s.pdf
    • https://cdn-cms.f-static.net/uploads/4445550/normal_602576089a58f.pdf
    • https://cdn-cms.f-static.net/uploads/4489716/normal_600aaea395d1e.pdf
    • https://static.s123-cdn-static.com/uploads/4366660/normal_5ff6928925030.pdf
    • https://static.s123-cdn-static.com/uploads/4388420/normal_5fc7e3aae33e8.pdf
    • https://cdn-cms.f-static.net/uploads/4423148/normal_601d5e63dc1e8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vuzabog.epizy.com/70039862463.pdf
    • https://76a725e8-946c-4ae9-9249-cda469d35108.filesusr.com/ugd/83c8cc_e8083619e9b545919c2f30584cb48fea.pdf?index=true
    • https://21e323bd-7fdd-46e9-a6c7-4880e76d7610.filesusr.com/ugd/0a51c1_8b3d07e4a10943c990649287d4a848e3.pdf?index=true
    • https://234a0c07-d908-4261-bb83-16b3c96a9b04.filesusr.com/ugd/73e0e6_37edd46a6df444299d8e6d5a238a3fe7.pdf?index=true
    • https://ff743420-c5e2-4527-a456-70ddb2a1abd8.filesusr.com/ugd/5178f2_bba0188882a049fabc960045cf86ffde.pdf?index=true
    • https://33c7e2ec-32fc-4676-a642-9d95a4379e01.filesusr.com/ugd/622218_7eced56fd5274f72aabdd4aabc4358fe.pdf?index=true
    • https://64f1e6a9-4530-4009-9f9b-67b91dd69f79.filesusr.com/ugd/76b6de_d8473af0100a450bab7595761f4f3e6b.pdf?index=true
    • https://67dec473-0a9c-497c-80b1-62a4c84c5046.filesusr.com/ugd/0aab01_5ef6c2f4e8bb43b99fad45bd916cb413.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012b1a.bin
2f32373152b86590eb5c993bf8dbb57d20fc33770b92bc1ec6b5fd985d660553		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B1A 2828 bytes
font_01_sfnt_off00013523.bin
1c229a13ac4d28599f58dfaf5be4cc39303448c6ca3bcacc7006ed8c425aac91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13523 5084 bytes
font_02_sfnt_off000146a3.bin
a97d43c6ef5e95b48991576245c41e4f2f00d855d9b4aa482219ae1d2ebc6054		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146A3 10640 bytes
font_03_sfnt_off00016b3d.bin
09924b10e855ce39f6ed23c9edf1fec5f5fe7b5d8f39c377cbf0b4e57b11a1d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16B3D 16380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.