Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc885596f4044630…

MALICIOUS

PDF

98.2 KB Created: 2021-03-31 17:44:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 753ccc12865ec5916a00d31b8ddfaa53 SHA-1: 20bb7813bd8ee91f4f3b104b762697d517e3571c SHA-256: cc885596f40446307ea2b53b22619c08a71bb86164cf3b81f682ef3978fd8395
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document detected as malicious by ClamAV and an ML classifier. It contains language suggestive of an invoice or payment lure, and embeds a URL that likely leads to a malicious payload. The PDF structure itself does not contain executable scripts, but the embedded URI is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=cost+accounting+guerrero+solution+manual+2018
    • https://wakavofidokevi.weebly.com/uploads/1/3/2/6/132681750/bejaregalin.pdf
    • https://cdn-cms.f-static.net/uploads/4418993/normal_603b9f7216b96.pdf
    • https://static.s123-cdn-static.com/uploads/4387243/normal_5fde81f5b6ae6.pdf
    • https://nozezekotelipub.weebly.com/uploads/1/3/4/8/134883262/moluwojeru.pdf
    • https://cdn-cms.f-static.net/uploads/4454426/normal_604a21ec7a872.pdf
    • https://static.s123-cdn-static.com/uploads/4387244/normal_5fe2bdc955e8c.pdf
    • http://rexasokozeg.iblogger.org/49914977495.pdf
    • https://static.s123-cdn-static.com/uploads/4420245/normal_6005593f6fd16.pdf
    • https://jevokave.weebly.com/uploads/1/3/4/2/134266272/464106.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d99d9bf7-a5e0-49f2-90ac-0d1bc881463d.filesusr.com/ugd/0182ef_eca4f7fa6cd24bb794780ae4751a1742.pdf?index=true
    • https://s3.amazonaws.com/purixifusipelid/asus_rt-n66u_reboot_loop.pdf
    • https://uploads.strikinglycdn.com/files/2dd1e0af-69f9-49c7-a096-284f59c3b579/what_lives_in_freshwater.pdf
    • http://videsukow.epizy.com/how_to_write_an_affidavit_for_a_lost_identity_document.pdf
    • https://uploads.strikinglycdn.com/files/9860ad57-a763-41a3-92c9-12bcfc1ae0f5/19852422318.pdf
    • https://uploads.strikinglycdn.com/files/99085f59-b729-4d8d-bf7c-e7210b95348d/32096941018.pdf
    • http://zawuzujuw.epizy.com/baxusabusidugavuvuzegofo.pdf
    • https://550dfcec-0280-4316-a0d5-68b74a7a20b9.filesusr.com/ugd/f59309_ac164a75db3d49868985e377d8ee3c3d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/86e7ab08-f9ad-4a6d-b206-9be3a49948de/63218782439.pdf
    • https://s3.amazonaws.com/dikobepibelun/what_size_battery_does_my_garmin_vivofit_take.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001406a.bin
e9cc4631639e28768fa47dbde636c22ad21a7f89f3feb2fb3a79beb5949e7392		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1406A 5544 bytes
font_01_sfnt_off0001532b.bin
e5b7f905d246429b07ef5bbef56793b60c5e1db3c7ba16962d1da647bef25ae5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1532B 11808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.