Malicious PDF — malware analysis report

Static analysis result for SHA-256 c62adf0b6e29b874…

MALICIOUS

PDF

80.4 KB Created: 2021-04-07 10:05:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ae05d4cd67f5b706d399d36d34fddb6 SHA-1: 75b0bf2052584c2ac2ef462371a1363e41504a74 SHA-256: c62adf0b6e29b874073e15370b7051d314199ecfbb610294b4dccb6a36288480
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URL that mimics a search query, likely to trick users into clicking it. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to lead the user to a malicious site, potentially for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=how+much+does+it+cost+to+fix+samsung+smart+tv+screen
    • http://dayzcommunity.info/1976251419t1lmt.pdf
    • https://cdn.sqhk.co/fiwujumejuf/hcjjuoL/43711901642.pdf
    • http://getveran.site/34075437903rnh4n.pdf
    • http://discount50it.pro/hedging_accountingl2g0h.pdf
    • http://probmake12.xyz/dj_private_audio_songs_naa_songs5aum1.pdf
    • http://reduslimer.website/455654118716hbru.pdf
    • http://dominis.xyz/ap_human_geography_frq_20188ix7i.pdf
    • https://cdn.sqhk.co/bujiwamovul/5jahzpT/57110163634.pdf
    • http://skidki-day.shop/xovubutojemewunas5dsfs.pdf
    • https://cdn.sqhk.co/vujagefamig/iaQiiTX/smart_car_price_2015.pdf
    • https://cdn.sqhk.co/pewesopefim/jahaRHB/wugadobabapamu.pdf
    • http://rentline.pro/43969103579yl8n7.pdf
    • http://eurostore.info/1871244052897s7n.pdf
    • http://housefashion.ru/annabelle_s_homework_piano_sheet_musicmbsow.pdf
    • http://ses-sanobrabotka.ru/73556329604o6onc.pdf
    • http://medicinfo.online/usps_label_228_march_2016_word_templamqa1.pdf
    • https://cdn.sqhk.co/detaludolef/ihchciw/just_draw_level_47.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mikibetiv/bunabefilixiba.pdf
    • https://uploads.strikinglycdn.com/files/ca995c01-1261-4304-b6a9-2fecf10ae60e/zametibalupawikapimawe.pdf
    • https://uploads.strikinglycdn.com/files/2de94513-2e0e-44c5-892c-e1c001864d63/the_logicians_refuted_analysis.pdf
    • https://uploads.strikinglycdn.com/files/76553c8c-e3c0-4bb2-98af-527a87bf7ade/am_i_being_too_negative.pdf
    • https://uploads.strikinglycdn.com/files/2ef70112-b6ef-4049-81dd-b42a663092cf/wemep.pdf
    • https://s3.amazonaws.com/mafavuzenoliki/16694973006.pdf
    • https://uploads.strikinglycdn.com/files/ffd1d5c8-8ceb-4295-99a2-dec2917e5dc0/12048977362.pdf
    • https://s3.amazonaws.com/pevuwarobuvowa/how_much_horsepower_does_a_2012_shelby_gt500_have.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc46.bin
f53586ac91f4d843aab31c86b72f0956d7a5cfb3ee559f24eb1197d0b7ef56f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC46 5584 bytes
font_01_sfnt_off00010f35.bin
eb9047dc76f92167eadeca03b0ef9737b267390fd9adbe21dfa71dc5790c073f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F35 10488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.