Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbaad76736273fd3…

MALICIOUS

PDF

68.7 KB Created: 2021-04-07 11:19:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d97ca5580e81a38db8aea9876b143ea7 SHA-1: d70eb4da6a19248c249f44fc91eeb05841e98d85 SHA-256: cbaad76736273fd391e3b5776f4fc13070d676280cda9e67db0aae1ba562c2ce
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that redirects to a malicious domain, likely as part of a phishing or malware distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the presence of external URIs and the overall classification suggest the document is designed to lead the user to a harmful resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/123?utm_term=diarrheagenic+escherichia+coli+pdf
    • https://cdn-cms.f-static.net/uploads/4389370/normal_6032b3aa03f61.pdf
    • https://cdn.sqhk.co/gotakavapu/ckHifkm/pokizabibujutevalu.pdf
    • http://xelamoxadavas.mywebcommunity.org/lebah_apis_dorsata.pdf
    • https://cdn-cms.f-static.net/uploads/4447096/normal_6054528f0c9cc.pdf
    • https://cdn-cms.f-static.net/uploads/4470839/normal_603ba0e620a0f.pdf
    • https://cdn.sqhk.co/xasurila/Rgdjjii/77353183055.pdf
    • http://gibelepij.scienceontheweb.net/riseres.pdf
    • https://cdn.sqhk.co/faserekino/heM5hjq/gojeruzanos.pdf
    • https://static.s123-cdn-static.com/uploads/4426687/normal_6000e7cf2fd55.pdf
    • https://cdn.sqhk.co/nuditufu/jjimahe/voico_uae_du.pdf
    • https://static.s123-cdn-static.com/uploads/4489722/normal_5fc739ca170b8.pdf
    • https://cdn-cms.f-static.net/uploads/4453105/normal_6063ea7b124b9.pdf
    • https://static.s123-cdn-static.com/uploads/4415073/normal_5fdfbb961abb0.pdf
    • https://cdn-cms.f-static.net/uploads/4468294/normal_5fe798ca42e01.pdf
    • http://wejuveziwep.mypressonline.com/add_bookmarks_to_free_online.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://df256b98-640c-444d-885a-8195c7360722.filesusr.com/ugd/40b9e6_d7f5dd3caf5b40b090857fe880d7d383.pdf?index=true
    • https://20996a60-9695-4f45-8fdb-44bdc783da55.filesusr.com/ugd/c57cae_c6185398344f44c581b5fd28a90132dc.pdf?index=true
    • https://9eaa565e-fb97-40b4-b096-d6760803f699.filesusr.com/ugd/55e2c6_d3772585ff584b2cae217bc65c7b1a6d.pdf?index=true
    • http://bitujiduruv.myartsonline.com/free_biology_project.pdf
    • http://kepofif.onlinewebshop.net/xemokudisiduve.pdf
    • https://42190e62-4dca-482d-a077-ae7b222d7779.filesusr.com/ugd/b91392_1994c87e702749e488d3d9a51d9735cd.pdf?index=true
    • https://ac65beef-1c88-4b01-a948-251493ed82f2.filesusr.com/ugd/09857b_21ad494fb0bd4eedadeff4fe9c49ab6f.pdf?index=true
    • https://4f65501f-cdae-4966-b9db-49b15ad9d196.filesusr.com/ugd/52b593_f8b3c08b394d4f268606299df9593248.pdf?index=true
    • https://9c789f27-b70c-4c9d-9e83-211ee8f99b38.filesusr.com/ugd/bdeb4c_8e1e10ea0fdb444d8cbfd1dd4043df0f.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d001.bin
5924bdb24d30e9202f42692514fa5f2877bacb9a8b640645d07cf3493c54bcec		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD001 5416 bytes
font_01_sfnt_off0000e271.bin
35cd59e5879baa9551453881af4c1b24b39cc34b64ac365662a0eb7df2118f06		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE271 10096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.