Malicious PDF — malware analysis report

Static analysis result for SHA-256 c968be68aec41de3…

MALICIOUS

PDF

104.9 KB Created: 2021-03-12 12:56:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a254e27160891e1ad9169ac019a6be2f SHA-1: ebbfb513c84686c6bf33cb5547b6a18b0558e8dc SHA-256: c968be68aec41de3c68a6be5f7d525ce322e9e88fdf1b578404d098426cea381
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. Although no scripts were explicitly extracted, the presence of embedded URIs and the nature of the detection suggest an attempt to redirect the user to a malicious site, potentially for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9940

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=maplestory+1+fishing+guide
    • https://cdn.sqhk.co/gaxobenona/8jjzLjb/menudurosisadasirive.pdf
    • https://cdn.sqhk.co/pelotuwew/ehihbhf/fruit_splash_juniors_water.pdf
    • https://static.s123-cdn-static.com/uploads/4413456/normal_6007fd97acdd1.pdf
    • https://static.s123-cdn-static.com/uploads/4481847/normal_60013c4c05250.pdf
    • https://cdn.sqhk.co/palezubifo/g54Rijz/parkour_and_freerunning_gyms_near_me.pdf
    • https://cdn-cms.f-static.net/uploads/4474734/normal_60235f783f68f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ab19798a-b889-4609-8a1a-9cfd263a23af/calories_in_bojangles_chicken_strips.pdf
    • https://uploads.strikinglycdn.com/files/bb72c156-28cd-4198-9ad3-2516b0057b5f/quadratic_formula_solving_methods.pdf
    • https://uploads.strikinglycdn.com/files/ec024fbe-ba2b-4397-b7d9-08711b856b3f/starbucks_holiday_travel_cups_2019.pdf
    • https://uploads.strikinglycdn.com/files/fa6b1871-a08e-47fd-95ee-9527b67f5c92/53646238958.pdf
    • https://uploads.strikinglycdn.com/files/d24d0611-6ad8-44ab-a54d-875d1a16cbb6/fepiluxavobig.pdf
    • http://pigibotokaper.epizy.com/grade_7_term_3_maths_test.pdf
    • http://mifepotuguw.rf.gd/bibliografia_formato_apa.pdf
    • http://xirozaza.onlinewebshop.net/65190550482.pdf
    • http://vimixof.onlinewebshop.net/mipunudajiropusorawiwuba.pdf
    • http://muvabeso.epizy.com/91108828782.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off000183d3.bin
24360cdb7014ada8aa5e6f1d3277a2d71ef7b6d1dc3bf288ea9a040c472e669a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x183D3 6504 bytes
font_00_sfnt_off0000ff74.bin
415404d41102603d116b671105f4e25befd3b6278fea9392b4c16d82bc7d66e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF74 7328 bytes
font_01_sfnt_off0001125d.bin
a277baa0363301820e691350cb860598f83a55ab5f470b69e31f1ace31f899c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1125D 3148 bytes
font_02_sfnt_off00011d9c.bin
c9ba0cbc7c7fae1f3c2f546a0e7847839c3864c9c4cec4749d05f8a7a4bbea35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D9C 5460 bytes
font_03_sfnt_off00013002.bin
9b26e63dddb061148d2096f8a3abd9ddbfbe7663dcfe2e6edc24d1b84c1ba01d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13002 6280 bytes
font_04_sfnt_off00013f6c.bin
d8dbe9fc8738ed23c1d57d9ce2be7dd6261f856e4e952f55f532cbb6af6dbca3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F6C 15056 bytes
font_05_sfnt_off00016d35.bin
04fe25b29f051d70f1708f46f478918d30a58f8dd56488b8fb7dbeafae74b6e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16D35 16516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.