Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3f8e94b8af6c863…

MALICIOUS

PDF

71.7 KB Created: 2021-03-23 08:38:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 018b8384c62133910a5c7df936fd493b SHA-1: eeca30b417dc0de934ff6da9c4ae45aa6e99c71c SHA-256: d3f8e94b8af6c86353a9e5eeabd6fbb237c6fef02c791568eb4c54f64ed66910
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to 'zajinet.ru', which is likely used to redirect the user to a phishing or malware distribution site. The document body, though partially corrupted, suggests a lure related to educational content to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=algebra+2+conditional+probability+worksheet
    • https://cdn-cms.f-static.net/uploads/4494875/normal_6016d16d5ef0c.pdf
    • https://cdn-cms.f-static.net/uploads/4385863/normal_60555d54419eb.pdf
    • https://cdn-cms.f-static.net/uploads/4369509/normal_604dc4c52df28.pdf
    • https://static.s123-cdn-static.com/uploads/4486763/normal_5ff2048a15d91.pdf
    • https://cdn-cms.f-static.net/uploads/4425214/normal_6014a41a788aa.pdf
    • http://checkmyscore.info/xirajaznj7i0.pdf
    • http://ecoservice-vlad.ru/trumpet_fanfare_sheet_musichivua.pdf
    • http://raisinshq.pro/blues_songs_chords4gk0r.pdf
    • https://static.s123-cdn-static.com/uploads/4413866/normal_5fca7116a6d8b.pdf
    • https://cdn-cms.f-static.net/uploads/4379855/normal_600a5f4b8a1e6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/pafexegud/58650377181.pdf
    • https://uploads.strikinglycdn.com/files/d7e5a420-ee22-4360-b726-a5a772f267c2/bivis.pdf
    • https://s3.amazonaws.com/benubapopikaj/jogurufexuta.pdf
    • https://uploads.strikinglycdn.com/files/60da02ea-edec-4634-8e76-d479e69adb01/libukob.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d420.bin
4be1140a8fc3c1fe0252965dae16508bc17abeb5f030c5b8da302f29bbf65a3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD420 5856 bytes
font_01_sfnt_off0000e819.bin
7a5ed07708511a3af7cad8c7ab5e82aacf715c9f71510ced08208a1674edab78		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE819 11600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.