Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb33d4b120bfd709…

MALICIOUS

PDF

83.4 KB Created: 2021-06-09 22:35:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf5df619e95cfad03a6f8d959877c9c4 SHA-1: 0fab96c72440befc385a8de0ad78d25c8e5465f1 SHA-256: cb33d4b120bfd7095cac432fa5908a1a9c05c119ac17ce8db40cbd7b10ccb76c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URL that mimics a search result for educational materials, likely to trick users into clicking it. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/pbw?utm_term=8th+grade+math+worksheets+pdf+with+answers
    • https://vosaxoro.weebly.com/uploads/1/3/4/4/134469305/wasokemuwux.pdf
    • https://samarobiratepiw.weebly.com/uploads/1/3/5/3/135327643/dovenajoxoze.pdf
    • https://tosojeravi.weebly.com/uploads/1/3/4/6/134617838/fipopojowaratofi.pdf
    • https://puvugemamoj.weebly.com/uploads/1/3/0/9/130969199/lokix-japomal-mujovot-sudodirorizi.pdf
    • https://xulobefopit.weebly.com/uploads/1/3/4/3/134349373/dulivarar-vogojowu.pdf
    • https://xolesozetenosox.weebly.com/uploads/1/3/1/0/131070434/1015494.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://wixugigir.pbworks.com/f/jafijuderagu.pdf
    • http://tukufidanega.pbworks.com/f/lekumusomodegeziwinov.pdf
    • http://lekuzax.pbworks.com/w/file/fetch/144427704/building_maintenance_service_agreement_template.pdf
    • https://uploads.strikinglycdn.com/files/2ced15cc-a1c7-458c-947e-b721bcf14b15/93417506981.pdf
    • https://uploads.strikinglycdn.com/files/7a6d2a36-4e91-4643-bc9e-4473a83911e6/the_water_cycle_crossword_worksheet_answers.pdf
    • http://vesenimu.pbworks.com/w/file/fetch/144962856/adding_and_subtracting_rational_numbers_word_problems_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/30465f42-77e3-4aae-b0d5-be81aa5ce20d/88694012236.pdf
    • https://uploads.strikinglycdn.com/files/dd71f40a-675e-4b29-b526-ab803534f896/defisego.pdf
    • https://uploads.strikinglycdn.com/files/694f5c3c-cb0b-44b9-8165-d04b7ca8a6ad/leruwa.pdf
    • http://nibokuwogi.pbworks.com/w/file/fetch/144822138/lego_star_wars_tfa_apk_obb_download.pdf
    • https://uploads.strikinglycdn.com/files/b7fa215a-1210-4ba1-899c-3a805f43dbcc/62755953927.pdf
    • https://uploads.strikinglycdn.com/files/8ac4dc69-3172-47e5-a99e-1c1a13b52c73/what_streaming_service_has_how_the_grinch_stole_christmas.pdf
    • http://jinotofatum.pbworks.com/f/introduction_to_machine_learning_ethem_alpaydn.pdf
    • http://jorowad.pbworks.com/f/96705907743.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb31.bin
fe81ed02c83d1803ab80e90ab0d626189ae48e23ffa7de3d88ea5dbf82b8b101		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB31 5464 bytes
font_01_sfnt_off00010db1.bin
afddb03476f2836f45469ed2d286714991239a46ca2cba7dc9d74cbf60ef0e56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DB1 10628 bytes
font_02_sfnt_off000131f6.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131F6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.