Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5f3b82a59fe6a64…

MALICIOUS

PDF

225.4 KB Created: 2021-04-13 04:48:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 2b3548a1c3ed8e3ae810407cc1d6b5b7 SHA-1: 1fa6da0b218f6e31e5266f514deebbcc2129948e SHA-256: c5f3b82a59fe6a64c4e36243841fac004cfee36cc299c13acf8a3a3188f0a66c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a lure related to 'History of quran pdf in urdu' and embeds a URL pointing to a suspicious domain, likely intended for phishing or malware distribution. ClamAV detection and ML classification strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9858

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=history+of+quran+pdf+in+urdu PDF link annotation
    • http://helps-lnstagramcopyrights-about.com/650744353394ic29.pdfIn PDF document text
    • http://puduvab.sportsontheweb.net/keith_code_a_twist_of_the_wrist.pdfIn PDF document text
    • http://daliadiago.com/bovikmtbgc.pdfIn PDF document text
    • http://tiktokhd.design/the_freedom_writers_diary_teachers_guide_2007_crossword_puzzle_answerslcf8t.pdfIn PDF document text
    • http://help-lnstagramcopyrights-verify.com/300749623613x87q.pdfIn PDF document text
    • http://zokazurimila.mygamesonline.org/diwazatupuje.pdfIn PDF document text
    • http://medway24.com/31743793874id9f5.pdfIn PDF document text
    • http://pshcomonhere.xyz/what_is_the_exact_value_of_cos_180l58sz.pdfIn PDF document text
    • http://rankingcoach-apps.com/nursing_research_using_grounded_theory_qualitative_designs_and_methods_in_nursing9v7jj.pdfIn PDF document text
    • http://erogan-columbia.site/878806926998341g.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://d4a58959-25bc-41ae-a48c-99f47e3c4711.filesusr.com/ugd/4dab1e_47216c91274a4883ae1ebb70c87ac23c.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8200f0d-7f6e-4113-a75b-acdf164943b2/timetable_worksheets_for_4th_grade.pdfIn PDF document text
    • http://fogobesu.rf.gd/68905586609.pdfIn PDF document text
    • https://200ee3fc-349d-4871-b5c3-2c1c69b60476.filesusr.com/ugd/7b00a0_63ee00410755484fb04bc9812ccb3011.pdf?index=trueIn PDF document text
    • https://92fa68c6-d088-48c5-94d9-776fe0504fc0.filesusr.com/ugd/5a053b_59ae0944f76545cb8a1ff55a18968c2d.pdf?index=trueIn PDF document text
    • https://8b62b971-d575-4461-ae89-9de7a2afac08.filesusr.com/ugd/c5a911_3df0ebea129a4e25850da408cae44ace.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/84500ccc-4465-432a-86eb-26e3166f6a3f/dillon_reloading_press_1050.pdfIn PDF document text
    • http://vagasobewinepu.rf.gd/20886095689.pdfIn PDF document text
    • http://pezamax.myartsonline.com/47492609167.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c58d8d38-7641-442c-9a19-c3767b841618/yamaha_yz250_service.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc630c5e-c82c-42e0-9f92-a63967f893bf/how_to_reset_iphone_4s_without_apple_id.pdfIn PDF document text
    • https://30cc9e9c-6145-4029-bfdc-d0561bdb3a10.filesusr.com/ugd/0dcf4b_663169c517b841a9abbc28c194cdd1c8.pdf?index=trueIn PDF document text
    • http://bupazomop.rf.gd/african_medicinal_plants.pdfIn PDF document text
    • http://vapomogabu.epizy.com/what_is_the_average_middle_class_income_in_australia.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cae3ddc2-4f15-4147-af76-a564e10b70c4/selalawovewefezopewerew.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00033d0e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33D0E 5192 bytes
SHA-256: 3e37fe39669c9ae3f2efce3d79f7a2585ea258eac2d2fd7f7938a02f742a7a9e
font_01_sfnt_off00034ecd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x34ECD 11720 bytes
SHA-256: bd2b43e7cb8334600dbe78411a4561d6aea51a50c31dd1e3f566bda42b90e081

Open this report in the interactive analyzer, or submit your own file for analysis.