Malicious PDF — malware analysis report

Static analysis result for SHA-256 d265946849110a2a…

MALICIOUS

PDF

109.4 KB Created: 2021-02-27 03:51:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 25ccafd693ba89d36a94c65e19471ad5 SHA-1: 03a2faf41a8a76220a5105072e0730333160b695 SHA-256: d265946849110a2a04ae01218afd42f44420b357ea2590c533db57993d723dfe
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URI pointing to a URL that likely serves a malicious payload. Heuristics indicate this is a callback phishing lure, suggesting the user is prompted to interact with the document, possibly by clicking the embedded link. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wb?keyword=probability%20and%20stochastic%20processes%20third%20edition%20solution
    • http://hs-life.ru/kexosuvurulapk5tq.pdf
    • https://static.s123-cdn-static.com/uploads/4470837/normal_5fffd338414f8.pdf
    • http://tonagruz.ru/kiniruvizamdwtx7.pdf
    • https://bovidekomuburo.weebly.com/uploads/1/3/5/3/135312485/gukigasunuju.pdf
    • http://blancer.xyz/84195692726kgp9e.pdf
    • http://medway24.com/captain_underpants_toys_argosz6sdm.pdf
    • https://cdn-cms.f-static.net/uploads/4416656/normal_603982339c951.pdf
    • http://hookup154.site/arijit_singh_songs_2019_download_pagalworld_mp3vsclm.pdf
    • https://static.s123-cdn-static.com/uploads/4413703/normal_6005493216874.pdf
    • http://onlinetyz.xyz/hikvision_ip_camera_2mpe3iov.pdf
    • https://kabibejago.weebly.com/uploads/1/3/6/0/136050231/1125016.pdf
    • https://lupawepenotude.weebly.com/uploads/1/3/1/6/131606523/jugudasodusodekuj.pdf
    • http://prostochillforum.fun/73514382937a5vjg.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/norozovijalu/craftsman_10_radial_arm_saw_model_113.pdf
    • https://s3.amazonaws.com/zijivevip/18164188343.pdf
    • https://s3.amazonaws.com/tibitexil/pirates_of_silicon_valley_movie_480p.pdf
    • https://s3.amazonaws.com/fuvidokibet/android_google_maps_current_location.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000146ea.bin
c24ba7bebd04ee74e11c402a8b2a57f48b6823233b9837637a8c9e0fa263f97f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146EA 5404 bytes
font_01_sfnt_off0001593d.bin
e3e01dbbc09ae6d13ba08b949fc7c120d8c33b1c23e3def79d9e75247deace95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1593D 2348 bytes
font_02_sfnt_off00016305.bin
54e755215e3710cecedd50874426a9df016540eec54e84c483569bdbe237261e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16305 13368 bytes
font_03_sfnt_off00019093.bin
141e33a876be59f6fb4c887c80c294c3a4f2c4bc3e1a56f0d2c1bfdd0d7bdc6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19093 16572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.