Malicious PDF — malware analysis report

Static analysis result for SHA-256 d32b23ca3fe3c65e…

MALICIOUS

PDF

81.9 KB Created: 2021-03-29 02:44:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65b9e5b2fe8ca9344e32f8386b44a802 SHA-1: 51dc544e3af872dec068c9b2f076e3073c4b60d0 SHA-256: d32b23ca3fe3c65e229628f16e0dfe3052e7e2a87be029ca26723051a13e1ac8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The ML classifier and ClamAV detection strongly indicate malicious intent, consistent with a phishing or malware distribution campaign. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest it's designed to exploit users by directing them to external malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=unblocked+games+24h+run+3
    • https://cdn.sqhk.co/domuduxuro/OgihbqY/wabuma.pdf
    • https://static.s123-cdn-static.com/uploads/4374380/normal_60083b4278e56.pdf
    • http://dizurexemubegog.mygamesonline.org/ashrae_55_2020_download.pdf
    • http://movizopolu.medianewsonline.com/pefafikekixutavufajojeb.pdf
    • https://static.s123-cdn-static.com/uploads/4404757/normal_5ff76b9fbaea0.pdf
    • https://cdn.sqhk.co/sevafeluba/NxShigh/vijavunedikogunitopu.pdf
    • https://static.s123-cdn-static.com/uploads/4370089/normal_5ffd4dd5e1587.pdf
    • https://cdn.sqhk.co/wezopexa/dNhgfig/prestonplayz_among_us.pdf
    • http://vomidujoma.scienceontheweb.net/nulubusiravefo.pdf
    • http://lojapidabud.mypressonline.com/paxevug.pdf
    • https://cdn.sqhk.co/fapetemiji/ffOif50/companions_werewolf_cure.pdf
    • https://cdn.sqhk.co/wujakegu/xkheohh/56963864814.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zerowegujij.onlinewebshop.net/77258178165.pdf
    • https://uploads.strikinglycdn.com/files/020d46ad-7cb9-4ba1-b7f8-d0aca3079315/fallout_4_new_vegas_website.pdf
    • https://uploads.strikinglycdn.com/files/ac31ce11-5ae0-45de-a6c7-69f1daec5dd8/1994_honda_shadow_1100_specs.pdf
    • https://uploads.strikinglycdn.com/files/3de17299-f2d5-46f5-a2e6-7c14c5c37e84/good_penny_stocks_to_buy_in_2020.pdf
    • https://uploads.strikinglycdn.com/files/eb83ddfd-bbba-45ca-a2d0-72737ddb215e/38671361572.pdf
    • https://uploads.strikinglycdn.com/files/48d8c327-6333-4111-821d-2dcb44d78726/braun_thermoscan_7_digital_ear_thermometer_with_age_precision.pdf
    • http://vexolofifete.atwebpages.com/cambridge_checkpoint_english_coursebook_8_free_download.pdf
    • https://s3.amazonaws.com/faxaxos/kazujasoxuvetivezoxeweve.pdf
    • https://s3.amazonaws.com/vibasujefir/filomilosubatik.pdf
    • https://s3.amazonaws.com/gogoxowiniza/destruction_warlock_pvp_guide_3._3_5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100ce.bin
6f4cc08d1201d7a51be5bcf74ecf88561571b67ed8007151c300e2839f61fe0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100CE 5932 bytes
font_01_sfnt_off000114dd.bin
014bf42cc78b29628a0c07afbeac268c24bec714de76dad8e54b2b50ecb9d65a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114DD 11068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.