Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4f4b6d85243c2c2…

MALICIOUS

PDF

78.5 KB Created: 2021-03-14 07:50:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b8e540394b84cc21ddce520577da8fa SHA-1: 5ac8efb5a5c64677e9cd573dd3555546bd893a16 SHA-256: d4f4b6d85243c2c204663f82c19f8099db2e776f527c0edd4b88352ebd0731a8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically identified as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/award?keyword=adjetivos+cuantitativos+en+ingles+pdf
    • https://sajofagexureleb.weebly.com/uploads/1/3/4/6/134652103/riburesu_pofazorotosilof_tekekozupatum.pdf
    • https://xizirasifeda.weebly.com/uploads/1/3/4/3/134344010/wuzusoviraw-pivedunusemit-zepozonosut.pdf
    • https://rezisepadas.weebly.com/uploads/1/3/4/2/134235668/5717220.pdf
    • https://pugiputofal.weebly.com/uploads/1/3/4/7/134740318/jubowigev_gubujawuxegipek_goxevaseketesa.pdf
    • http://newoxoxi.mywebcommunity.org/accounting_standards_list.pdf
    • http://betijeduw.getenjoyment.net/62906112061.pdf
    • http://bibopasaxuvibu.mypressonline.com/why_does_my_water_softener_taste_like_salt.pdf
    • https://static.s123-cdn-static.com/uploads/4461201/normal_6004c000a44c4.pdf
    • https://betutoza.weebly.com/uploads/1/3/4/8/134899773/8380199.pdf
    • http://redirunna.xyz/mind_control_101_jk_ellisilv57.pdf
    • https://cdn-cms.f-static.net/uploads/4377401/normal_5fe8549dcdfa1.pdf
    • https://cdn-cms.f-static.net/uploads/4365583/normal_5fd3c2a4838d5.pdf
    • http://laithub.pro/when_breath_becomes_air_audiobook_vktjp2q.pdf
    • https://cdn-cms.f-static.net/uploads/4458122/normal_5fd385c8f30fb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://73856814-13bb-4d44-aeaf-752cce6ba6bd.filesusr.com/ugd/a0d21a_d5d3e578581b484287a26b9719ded7cb.pdf?index=true
    • https://ce322291-b3da-4cc2-ae0f-523e25daec44.filesusr.com/ugd/4530da_5c95fc9c67cb4753aa150bbddc7c923f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2064a554-a3e0-4312-bfa5-351d44fe3b06/how_long_should_you_cook_a_waffle_in_a_waffle_maker.pdf
    • http://zuxokoberibaw.atwebpages.com/fofeloxajufenoxolimuzokuv.pdf
    • https://d09251a9-b09e-4077-8ccb-24037f005f7b.filesusr.com/ugd/a6ce17_7f63568d2eee4b0faa4de259a2968365.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7bf98561-693c-4299-b103-56061e18b559/14945182532.pdf
    • https://uploads.strikinglycdn.com/files/7c59f88a-ad42-4f96-9e9b-ffce1d052733/application_of_integral_calculus_word_problems_with_solutions.pdf
    • https://9de673a2-3b8e-40eb-bbf5-c0ad8e71a3da.filesusr.com/ugd/bd5c68_5c73b3305253453e87f3aca9c72f8d63.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ce8c1ac0-3cf9-433f-844d-248b3837cebe/zokawibateve.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f19f.bin
364e0089da9e4dfd46086ff791032fb32495bc88c05a3fec008cd43b769c844c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF19F 5352 bytes
font_01_sfnt_off000103fe.bin
0fc3e82522dd79e4943ed088ad4b1e8c2bd9ab81574d497968936bdf87eb6766		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103FE 11856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.