Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5f902a9321192fc…

MALICIOUS

PDF

165.5 KB Created: 2021-03-30 17:19:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 39178631e35a7b86a51405c583f53b10 SHA-1: 2e93df3a783ea80f04f9c9f09ccba0c9c0e662e1 SHA-256: c5f902a9321192fc746cf2dba4cce8043ff1da7f079059797a2eb918ab7949b5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL, identified as a phishing lure. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect users to a phishing site or download further malware. No scripts were extracted, but the presence of an external URI points to a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9968

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=ap+seminar+stimulus+material+2019
    • https://cdn-cms.f-static.net/uploads/4469126/normal_6050d604cfcae.pdf
    • https://cdn-cms.f-static.net/uploads/4454422/normal_60216a0e24a7b.pdf
    • https://static.s123-cdn-static.com/uploads/4419849/normal_5fe5389540fb2.pdf
    • http://alcexpress1.xyz/121055561626oaug.pdf
    • https://vamemaxodoj.weebly.com/uploads/1/3/1/4/131437173/wetesasijob.pdf
    • https://dotowukigirer.weebly.com/uploads/1/3/1/1/131163902/tajorelomokejep_lefabowabikezuj_sutivab_xozotad.pdf
    • http://dress-russia.ru/putunifexhs.pdf
    • http://natorg.fun/90437727190be08f.pdf
    • http://xeboxemovev.66ghz.com/ssc_chsl_2019_form_apply_online.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://95049c82-e412-4913-a0b0-e03e83d5170a.filesusr.com/ugd/127d6e_c6ef9643410f402b8f06d9a796529d17.pdf?index=true
    • https://a4758657-6aaa-4003-b0f6-1957e800abfd.filesusr.com/ugd/70c1f8_1ed77418f3284a57a9b8e1df0c57406d.pdf?index=true
    • https://3d9856c9-ddaf-40ef-ab37-14107f3d3ee7.filesusr.com/ugd/938106_5a71582cc5b2429f963b36396a40d343.pdf?index=true
    • https://s3.amazonaws.com/gixawetopoli/64006787731.pdf
    • https://s3.amazonaws.com/mudurixo/varicocele_symptoms_merck_manual.pdf
    • https://f635e5d9-31b1-4f19-b758-7a623be10181.filesusr.com/ugd/6cf0f5_69277ec9b5ee4ed58597e96f593d5724.pdf?index=true
    • https://s3.amazonaws.com/jiguwuzobozobaz/apriori_algorithm_ppt.pdf
    • https://s3.amazonaws.com/sefepugolupalax/how_to_improve_memory_skills_for_students.pdf
    • https://caf0f927-206f-4b4e-aa34-0dd3da53679b.filesusr.com/ugd/83d902_57eeb96914b2488f8a264ae7c5631490.pdf?index=true
    • https://s3.amazonaws.com/tinezedu/how_to_put_ge_top_load_washer_in_diagnostic_mode.pdf
    • http://mebuwakubir.rf.gd/c_programming_from_problem_analysis_to_program_design_seventh_edition.pdf
    • http://litopuputorer.rf.gd/corporate_profile_report_search_ontario.pdf
    • http://vizepojuduw.rf.gd/53553866891.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002188f.bin
868c10bc38fc98d1648928808277dd40de762b0ed69723c6c70a0089bc1ebf89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2188F 5436 bytes
font_01_sfnt_off00022aec.bin
b9a573435e457719bd624d7ef5c0df4d8c4d952953c3c9273bbb8c1f768ad0fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22AEC 8676 bytes
font_02_sfnt_off000247cd.bin
37ff667b8858420b300c8f16a87ddbd9651ddd0ec0c3d80d9a2f5b3358b6946a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x247CD 11408 bytes
font_03_sfnt_off00026ee6.bin
c4a88683016fd88600f0e4617ab4f2ed43595512a875c7723e8ba747a32e0b42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26EE6 16848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.