Malicious PDF — malware analysis report

Static analysis result for SHA-256 d251eebce7a7f58e…

MALICIOUS

PDF

69.9 KB Created: 2021-06-05 04:53:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 86c4c7f18d8dd9f40822b2bc55a0dff0 SHA-1: d5f8a6b2157e2512edfe0623ca36500d65b85efb SHA-256: d251eebce7a7f58e052d6db8c21d43c9e83b3086607dcbaff73735048d60fc42
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware distribution site. The document body, though heavily obfuscated, suggests an attempt to disguise the malicious nature with seemingly educational content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=main+difference+between+guided+and+unguided+media PDF link annotation
    • https://static.s123-cdn-static-d.com/uploads/4462732/normal_60b3626028472.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365660/normal_6035022cb52e3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4412415/normal_5ff809619ed10.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4471106/normal_601ef90c3a055.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489259/normal_5fd38ef54ed8a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4425909/normal_5ffa0d4daa69d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408333/normal_603e813435f87.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4477886/normal_60bab39eaf21b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4453560/normal_5fc87363c093a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4374978/normal_6001e2cd90881.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374188/normal_605b62cdd8fc9.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4420028/normal_5fe4dc2d862b7.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/981cd1ba-3cd2-43fa-ad38-54b95ae1dc55/side_by_side_student_book_2_third_edition_free_download.pdfIn PDF document text
    • http://pokuwatosat.pbworks.com/w/file/fetch/144457113/aprende_ya_a_tocar_el_acordeon_de_botones.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b431d013-4202-4785-b2e6-d4a4aa150a68/8233594585.pdfIn PDF document text
    • http://tujedet.pbworks.com/f/9405327561.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/333dfa23-688d-45b2-930b-d1ee3aa1e2ae/the_bell_jar_sylvia_plath_the_collected_poems.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0221b88f-fa67-4443-9ef2-a7bd47935cbc/si_ttais_la_accord_guitare.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92e92ba1-602f-4cd0-a3bd-ddf20b031553/1887758420.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0345d4e4-d9f4-4113-bb9e-11f65f867f61/68585415778.pdfIn PDF document text
    • http://jajafad.pbworks.com/f/nivun.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD3B3 5368 bytes
SHA-256: a3cd5c17cae73ce87ee7936baf27910e4a025ed0ba78d0625574f303f2576e2a
font_01_sfnt_off0000e608.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE608 10288 bytes
SHA-256: b0553e01291f817a6ed0f7238f5da42123d73c3ae8ac72371856da16f2e93766

Open this report in the interactive analyzer, or submit your own file for analysis.