Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc2d7adf99ff51d7…

MALICIOUS

PDF

82.8 KB Created: 2021-03-18 05:18:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7136c5ced51743024e6db439a672b870 SHA-1: 7142d296c122e8d53c8a0d0b5bb91cf315fb5327 SHA-256: cc2d7adf99ff51d7ab51f67a722ab63c4edcb13965bfa03076d30eb0f5270e97
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URL `https://leonvi.ru/wix?keyword=keys+to+drawing+pdf+drive` suggests a phishing or social engineering lure, aiming to direct the user to a potentially harmful website. While no scripts were directly extracted, the presence of numerous suspicious URLs and the overall detection profile strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=keys+to+drawing+pdf+drive
    • https://static.s123-cdn-static.com/uploads/4423462/normal_5feb496ca89f7.pdf
    • http://itdiscount.pro/general_data_protection_regulation_individuals_have_the_right_to_obtain9o1co.pdf
    • http://wutulesarox.iblogger.org/67035398984.pdf
    • http://parrrtner.xyz/9284274311gzmmt.pdf
    • http://eyebrowthreadingdallastx.com/edmentum_answers_english_11rgyk9.pdf
    • http://winclean-shop.space/binarasapazrl37h.pdf
    • https://cdn.sqhk.co/mekewufi/ygiYejg/no_eye_in_team_childish_major.pdf
    • http://kizexibos.iblogger.org/can_you_use_salicylic_acid_on_your_scalp.pdf
    • https://cdn.sqhk.co/tamaladafa/iJ4zrgc/vilotukozutagijeluv.pdf
    • https://cdn-cms.f-static.net/uploads/4384639/normal_5fe901fa560b6.pdf
    • http://starkrobotics.org/what_time_is_best_to_trade_cryptocurrencych0ax.pdf
    • https://static.s123-cdn-static.com/uploads/4411922/normal_5fe42a22e02dd.pdf
    • https://static.s123-cdn-static.com/uploads/4404490/normal_5ff47b82b8315.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a1c9bafd-2917-4c1b-b79c-a4b44a941470.filesusr.com/ugd/f0f215_109f4c15be7a4e3c804db16510759e73.pdf?index=true
    • http://junedujivoxoz.epizy.com/molibabixaxoled.pdf
    • http://feramivo.rf.gd/android_9_cho_samsung_j7_prime.pdf
    • http://gisobugiwe.rf.gd/xixanumitevuvajevisofel.pdf
    • http://funasuruwet.epizy.com/rekilijilawidobo.pdf
    • http://masidurexo.rf.gd/dobizukovurabavipobi.pdf
    • https://7be8961d-effb-4c78-a255-78c3c9f0be09.filesusr.com/ugd/3dd68e_f90df9def5e94db79b5ea2b1b53cca1f.pdf?index=true
    • http://zupurusos.rf.gd/jadalosusidofovafaku.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f222.bin
d94ec6daffd1583d1336dcf00b0573090abb00c5a0ef2865920850b566232845		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF222 5400 bytes
font_01_sfnt_off000104be.bin
62a8aeaec1f542ab1d0332910402abfb635b24187b2f7584e650bf209fd9cd24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104BE 10616 bytes
font_02_sfnt_off00012948.bin
4189bb5d82d37c3b06c761c00ca3b3c8a7a7312639514cd6a20481e76712d457		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12948 16388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.