Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd447bdaa5c3ee55…

MALICIOUS

PDF

78.1 KB Created: 2021-03-26 12:21:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0228726c3c7b9f96d0ed4beefd1dfd8b SHA-1: 2801bec54ca5623bf17b50792c45eadc9ca558f0 SHA-256: cd447bdaa5c3ee551337c13e08d9f37ea820e6d6b447735c604864182cd96889
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely intended to trick the user into downloading a malicious payload by impersonating a search result. No scripts were extracted, but the presence of an external URI in a malicious PDF strongly suggests a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=dji+flight+simulator++mac
    • https://cdn.sqhk.co/raxulaxesob/fRugiJ6/gomelekadivipoliwimenof.pdf
    • http://dubogisixaxilu.iblogger.org/zujetalowofatodasakojex.pdf
    • https://cdn.sqhk.co/zokosofu/gjXhaif/mivuwogewokuxeg.pdf
    • https://cdn.sqhk.co/makulowujip/dhhhahb/lorenepumefapipexilaruk.pdf
    • http://wilozobugo.iblogger.org/19761339628.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kimitumepogamom.epizy.com/2743600723.pdf
    • https://s3.amazonaws.com/jowutoneranemuk/70744965028.pdf
    • http://lejugolidisixod.rf.gd/61049054130.pdf
    • https://s3.amazonaws.com/jezobasit/the_monkey_king_cast_2020.pdf
    • https://s3.amazonaws.com/wizitifowubux/jagosiwebo.pdf
    • https://s3.amazonaws.com/rujabepifar/xalamojobefezaxofuwero.pdf
    • https://uploads.strikinglycdn.com/files/9eb560ff-2400-4f6e-b961-71d02967345c/20672994155.pdf
    • https://s3.amazonaws.com/bipepezuwed/holy_rosary_guide_bisaya.pdf
    • https://uploads.strikinglycdn.com/files/12ae585c-1701-43e2-9f0f-b1a3abfe0a72/46955481471.pdf
    • https://s3.amazonaws.com/bokofapig/what_menu_items_is_taco_bell_getting_rid_of.pdf
    • https://s3.amazonaws.com/xakajoziwibi/47969778449.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f383.bin
9cc53a9ef04f29830b34a7ddc54dbb7d900f5493dc6414feef899948db093ab4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF383 5372 bytes
font_01_sfnt_off000105a8.bin
ed38871d3766ab1c73ff74a550adfc4340439f6e571f557e74c454e63368e2af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105A8 11256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.