Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3c5a5b2574afc17…

MALICIOUS

PDF

78.9 KB Created: 2021-05-27 09:03:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c50ea4f8cdbfaaa439cbf7f9243fcd11 SHA-1: 2de1aa241d590776df46b2bb6692b651a478d93f SHA-256: c3c5a5b2574afc17a40e4bb857798ecac1f4e169d756b159a45968b9c1b934fa
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URL points to a suspicious domain, likely a phishing site. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious external resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=declaration+of+no+conflict+of+interest+example
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/58711cfd-57a5-40d6-bc82-b894923ce4d4/6-cycle_semi_log_graph_paper.pdf
    • https://uploads.strikinglycdn.com/files/9097a7c2-c52a-489d-899b-4fd8130e2327/les_chiffre_en_lettre_arabe.pdf
    • https://uploads.strikinglycdn.com/files/d49ecf97-0d64-4df7-bf42-5b2bb9f53a68/autocad_lt_free_download_for_mac.pdf
    • https://uploads.strikinglycdn.com/files/3351123e-4720-4172-b1c8-35ae294fee77/78534307333.pdf
    • https://uploads.strikinglycdn.com/files/99866123-da52-4b87-8a62-dede4b515cf1/cbse_reduced_syllabus_2020-21_class_12_chemistry.pdf
    • https://uploads.strikinglycdn.com/files/49ad6d4e-c54a-47a1-8be5-8a18b324953d/klein_tools_ncvt-2_non_contact.pdf
    • https://uploads.strikinglycdn.com/files/3b9f4195-414c-45b2-95c4-3ee3d609bfbf/71891735008.pdf
    • https://uploads.strikinglycdn.com/files/056eef2d-d20f-496b-987b-674f23acbd09/ford_mustang_mach_1_for_sale_florida.pdf
    • https://uploads.strikinglycdn.com/files/9eba82b5-7c67-4bc6-b414-4d68db57b3ef/ryanair_case_study_strategic_management.pdf
    • https://uploads.strikinglycdn.com/files/5f859ca1-4dfe-40f8-ae7f-3347a9f3cf56/wadadajirenidogisorujopo.pdf
    • https://uploads.strikinglycdn.com/files/27f7d7e1-6235-4a40-992e-1a3c7dced79c/pirakivumaruxatakazuxewub.pdf
    • https://uploads.strikinglycdn.com/files/7132392f-2377-4651-8383-456bf5deb766/pibixibopojewexuzoropelif.pdf
    • https://uploads.strikinglycdn.com/files/5ba2fd77-2733-48a8-a402-f7fc2972a4a6/25773647895.pdf
    • https://uploads.strikinglycdn.com/files/57cb7843-22c2-4ffd-a41a-17f1cae98c5f/rawitawiwege.pdf
    • https://uploads.strikinglycdn.com/files/f5da5b46-2753-4cb9-9d7e-19c598402786/vosopepuxinasugojokaja.pdf
    • https://uploads.strikinglycdn.com/files/511bcd7c-82cd-4e26-ac04-05fdae60aa64/motivation_and_learning_strategies_for_college_success_6th_edition.pdf
    • https://uploads.strikinglycdn.com/files/bb1b481c-a94c-4b69-8ba9-1bd834c0ab84/2011_chevy_traverse_radio_display_not_working.pdf
    • https://uploads.strikinglycdn.com/files/7096224c-c5a8-457d-bc9a-6bd32401703a/16746927550.pdf
    • https://uploads.strikinglycdn.com/files/bb7ad060-f7fc-4e4d-aada-b501c3880027/when_rocks_cry_out_by_horace_butler.pdf
    • https://uploads.strikinglycdn.com/files/7ae0e214-6455-4463-b4c4-7b0b60cda1db/3149331708.pdf
    • https://uploads.strikinglycdn.com/files/3e5bacf7-f589-4206-8019-0f5bcba3cfad/lord_of_the_flies_chapter_3_and_4_quiz_answers.pdf
    • https://uploads.strikinglycdn.com/files/13c8c41c-cb79-40bc-b95e-d91cb6c14b84/warisipunonegitovoxemol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f597.bin
1188c8fec4ad0ed2d6f5e468532d63e15e16f934a05c887460937e529522c91e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF597 5228 bytes
font_01_sfnt_off00010759.bin
964fc806a56fda4b1658282a3ebc05794462d25272f29604936143b88478ad9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10759 10816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.