Malicious PDF — malware analysis report

Static analysis result for SHA-256 d52ed29af3299720…

MALICIOUS

PDF

80.5 KB Created: 2021-03-12 18:51:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f8d5f48ee71600c81b91a768b327d74 SHA-1: 1e33ffe10482839b7441be9edd0210dcc147aadd SHA-256: d52ed29af3299720dfd26816a85ddc83ab7c02f73bfc96bfa21ed41e4a406a6f
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious and phishing-related. The 'SE_CALLBACK_LURE' heuristic specifically indicates the document prompts the user to call a phone number, consistent with callback phishing or tech-support scams. While no document body text was readable, the presence of external URIs suggests a potential download or redirection to a malicious site. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/aws?utm_term=vox+vt20%252B+amp
    • http://stassikorskyi.com/3304482216yhikk.pdf
    • http://datab.vip/what_is_the_timbre_of_laos_musictb0s7.pdf
    • http://in-step.shop/zoxifimaxomitxl7qn.pdf
    • http://bokaxakoz.sportsontheweb.net/petigovetofefe.pdf
    • http://brumbum6.xyz/gosebobavijotadivapezedokqepj3.pdf
    • http://kuzexamipapoxip.medianewsonline.com/joruk.pdf
    • http://justiciaforjustice.com/82683594714cm8ko.pdf
    • http://tarigutese.mygamesonline.org/gesaxebojirapa.pdf
    • http://amorexpo.com/best_fast_browser_for_pccwbnf.pdf
    • http://fastgetme.online/13176453642893m1.pdf
    • http://velesvoyage.ru/28441157274s85g1.pdf
    • http://zaxevef.getenjoyment.net/how_to_force_split_screen_android.pdf
    • http://zdorovie-vashe-vse.xyz/warrior_cats_books_series_1d3dn2.pdf
    • http://technodom11.com/gijotulcjw12.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9cc3a53b-736b-4be1-a7ca-5407571217e3/92386876975.pdf
    • https://uploads.strikinglycdn.com/files/1b255ff4-d3ff-4f4c-98e6-8774c88f9be7/44308505286.pdf
    • https://f904ef53-caa1-4f0f-8a97-c50675c03ece.filesusr.com/ugd/2f8cea_f0b0544c297341bc922fdcfcbd7bf695.pdf?index=true
    • https://fad58b31-c538-4d3f-828d-7998eec853b9.filesusr.com/ugd/7e6083_210f25d99a15485189ec6b7e39b75ae7.pdf?index=true
    • https://a3c35cc3-4a3f-4d41-ab51-8b3e4b114d30.filesusr.com/ugd/2b25b5_276174e1b10d4c8a82797423be0bb182.pdf?index=true
    • https://b998fa74-583e-446a-a2a7-67f41460fdb2.filesusr.com/ugd/e081f8_43e43ac3d1da41989a0828c6d70ebbed.pdf?index=true
    • https://44879a12-c10a-431c-a98a-7de142752d0f.filesusr.com/ugd/bb4607_6f05bcab42704a4b82f470ce8d91da59.pdf?index=true
    • http://fiforeru.atwebpages.com/what_are_the_risks_of_investing_in_real_estate.pdf
    • https://203e7bc3-08d7-4ecc-a8df-f797e0d4a079.filesusr.com/ugd/d4579c_5f9296f237eb487c8d52b79fa1af70cd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6b25ca3d-431f-49d2-b905-2644384fd4bd/bobudumufexebozofesufemi.pdf
    • https://7ef7ebf0-bcb0-4ca2-8538-5a19c3e9f01c.filesusr.com/ugd/aff7ca_22cd17249a5743b68359fa28bf80371b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f787.bin
cadf959a7edd56a3c0395f7238e81d767a5843a5ae0be9fbbd740b9150a3f4a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF787 5024 bytes
font_01_sfnt_off0001089e.bin
9a2b6ffdaae36749fe655f6ebbc55c7e9abdf163c9f24dd42673ae357b27c31e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1089E 13424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.