Malicious PDF — malware analysis report

Static analysis result for SHA-256 c868aa52a903182c…

MALICIOUS

PDF

135.8 KB Created: 2021-03-18 13:15:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a5579df6c11dffc4ec0a4803f705460 SHA-1: e84749980005699d0c6aa519b3939369915d6ca3 SHA-256: c868aa52a903182c1e5bcb07a2d8b1642ca32cc700a8ac6e3077ef4b06af41f2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URI pointing to a suspicious domain, identified as malicious by ClamAV and an ML classifier. The document body is heavily obfuscated, but the presence of the external URI suggests an attempt to redirect the user to a potentially malicious site. No scripts were extracted, but the PDF structure and embedded URI are strong indicators of a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/award?keyword=meningitis+classification+pdf
    • https://cdn.sqhk.co/munemuzabuk/jjb0uCO/17498979685.pdf
    • http://medway24.com/police_reportz3c4e.pdf
    • https://cdn-cms.f-static.net/uploads/4417123/normal_603f37ca74632.pdf
    • http://blog-millionaire.buzz/52814723959w9rc4.pdf
    • https://cdn.sqhk.co/pixazizaze/cWG1pha/zisabevafozasuwiropiwo.pdf
    • https://cdn.sqhk.co/bivuwusim/hjhadYP/zedezijiwomajadifugibar.pdf
    • http://kismykeitio.best/86034851303wun6j.pdf
    • https://cdn.sqhk.co/jonuwezipagi/EhgCfhg/x-_plane_10_flight_simulator_download.pdf
    • https://cdn.sqhk.co/wegabunuti/oja71ie/project_priority_matrix.pdf
    • http://welitizenowem.mywebcommunity.org/cyberpunk_2020_sourcebook_download.pdf
    • http://nijaxubazaziw.mypressonline.com/fevowit.pdf
    • https://cdn-cms.f-static.net/uploads/4456140/normal_6051a5d30c252.pdf
    • http://websporizlehd.com/zezimizakitutepidy8lq0.pdf
    • https://static.s123-cdn-static.com/uploads/4452845/normal_5fee4a3877924.pdf
    • http://itabody.space/literally_nobody_meme_formataxnj1.pdf
    • http://botefin.medianewsonline.com/nevexinekugi.pdf
    • http://uscarins.info/what_is_site_planning_in_urban_planningmiysy.pdf
    • https://cdn-cms.f-static.net/uploads/4447877/normal_60108d00ba7ac.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/xukonakefules/cadbury_alien_song.pdf
    • http://kuzemepusiloj.onlinewebshop.net/zubiwuwaregada.pdf
    • https://s3.amazonaws.com/vogubivajavofu/exponential_equations_with_logarithms_answers_with_work.pdf
    • http://rukosivujuxu.atwebpages.com/nuveresoxevukipadu.pdf
    • https://s3.amazonaws.com/bifamomove/11469089460.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001bec2.bin
b0b01be11fd9ced754a613f623a823afd9ad992601f9f5dc6b4bce699e8a7d47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BEC2 5232 bytes
font_01_sfnt_off0001d0c1.bin
54616dfcebf3ee53304ed918c191fb0fa0e181c7d286b8811486c850d4525f97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D0C1 13364 bytes
font_02_sfnt_off0001fc00.bin
99ddc6f5858eb134f8024171ebe717cbd02485c31471b921a5021903b5272953		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FC00 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.