Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfcdeb0fa65791d6…

MALICIOUS

PDF

78.4 KB Created: 2021-05-13 08:43:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: acad118613905b237ef24da3a0a57cb8 SHA-1: 9996ca4bad412aab76d39ea5f2cce53027eaca9b SHA-256: cfcdeb0fa65791d68fce31efb206af06f92f37daeb661e84b1041f69e9200f58
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, appears to be a lure related to search queries, suggesting a phishing or social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=what+are+the+6+latin+maxims
    • http://goladelexugezi.sportsontheweb.net/caracteristicas_del_marketing_digital_segun_autores.pdf
    • https://cdn.sqhk.co/kaxonavi/ghTHjjh/wojipefes.pdf
    • https://cdn.sqhk.co/rarukaboz/FiaidmU/27714793687.pdf
    • https://cdn.sqhk.co/kuwusemob/hgjfEja/pdf_annotator_free_portable.pdf
    • http://foramodosug.mygamesonline.org/wta_australian_open_2020_draw.pdf
    • http://dronextactical.xyz/retefapajajmec8i.pdf
    • http://halfraire.xyz/in_text_citation_chicago_style_purdue_owlj9vef.pdf
    • https://cdn.sqhk.co/xeribaba/djiZ5hf/trap_dungeons_2_pro_apk.pdf
    • http://canlisohbetim.net/reactants_are_what_goes_into_the_reaction_what_are_the_two_reactants_needed_for_respiration_to_occur27wag.pdf
    • http://sberpodarok2020.online/twice_pixel_art_color_by_number_pcv0tj1.pdf
    • http://apeech.ru/26341564400syem7.pdf
    • http://sunshop.pro/81787043734phabb.pdf
    • http://gojevomarokabe.getenjoyment.net/tefofedi.pdf
    • http://babysampler.com/4917568645q6458.pdf
    • http://cmbmarketing.agency/volume_of_composite_rectangular_prism_worksheetrwd2s.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bujijawuta.atwebpages.com/zotero_literature_review.pdf
    • https://74df6fe0-557b-4e47-8461-f2df536053d0.filesusr.com/ugd/4dcf4e_b0d3fb9ecd2c4860a81f7c5bc9a23a8f.pdf?index=true
    • https://85ed388a-52e0-4e79-9737-9d4b769dda71.filesusr.com/ugd/bb10c5_986d12aad54e4a189cdac2766fda28cd.pdf?index=true
    • https://b2bd4247-5771-4f9a-9f3f-b46500bff287.filesusr.com/ugd/f41bfe_af90ea7492fa45be9aa960e2a027a3fd.pdf?index=true
    • https://a146b927-ed54-472d-b3a8-6b137e313b92.filesusr.com/ugd/4d400c_4e398cd176c84adf99fda0daa58dea69.pdf?index=true
    • http://xafibejijopo.atwebpages.com/insert_file_as_icon_in_word.pdf
    • http://lawewil.atwebpages.com/vewem.pdf
    • https://01d7ec8a-e38e-4e33-8c76-1be31754498b.filesusr.com/ugd/24d943_66d997b1e32b45ebbc721bb202fe7eef.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f734.bin
f489e4801ec1e76223acd713b921dc71fc79b0064ed411ba1384be82f81ed689		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF734 5160 bytes
font_01_sfnt_off000108a5.bin
5ad862a3444468aa7a0a3bef6ed40e36bcc18693e766e7e6520afc2ca9f74822		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108A5 10772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.