Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6398f5f766bc9a9…

MALICIOUS

PDF

206.4 KB Created: 2021-02-14 06:31:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e3018813de65b390aa8cb1290d3c8d5 SHA-1: d72172c66b39f6ef12099a73ee78584affd3880a SHA-256: d6398f5f766bc9a984830eb8f582c7c8e1d9b301f705de2212a9a58de60ce433
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains multiple suspicious links and invisible links pointing to domains that host further malicious PDFs, suggesting a phishing or malware distribution scheme. The presence of a 'download button' lure further supports this, aiming to trick users into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9917

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=best+fiends+cheats+level+315
    • http://mebets.xyz/26641289912s0k6o.pdf
    • http://pirawamajakemiv.22web.org/timesheet_calculator_with_lunch.pdf
    • http://importants.space/astroneer_small_fabricatorqnk6q.pdf
    • http://itawomen.fun/veripozekopuwapatiipakn.pdf
    • http://fb-copyright-help-from.com/telalurufeweju8vpy1.pdf
    • https://static.s123-cdn-static.com/uploads/4476596/normal_5ffce5337efa1.pdf
    • http://voirlo.xyz/65895552122bamcx.pdf
    • http://autokenn.com/bcs_english_bookcm2q4.pdf
    • https://static.s123-cdn-static.com/uploads/4427506/normal_6008a58c6334b.pdf
    • http://securityofusersdevicesonline.site/business_administration_jobs_listh4zi9.pdf
    • http://freshka.fun/kopa_samsu_lyricslau20.pdf
    • http://normab-id.com/5_steps_to_a_5_ap_english_language_2soh30.pdf
    • http://tramlaweq.online/battle_brothers_guide_perks7pz7a.pdf
    • http://inostrana.com/additional_information_teaching_applicationpsjf7.pdf
    • http://zoo-taxi.site/xonoga0jag.pdf
    • https://cdn-cms.f-static.net/uploads/4381090/normal_601b048f6d533.pdf
    • http://mesretly.xyz/nfl_standings_2018_playoffsyafiz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://pufovipejofag.epizy.com/manual_change_detection_angular_6.pdf
    • http://talulof.epizy.com/fuvumifosukojuzi.pdf
    • http://sarirepenibe.epizy.com/choir_music_sheet_holder.pdf
    • http://voginafukut.rf.gd/octonauts_videos_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002c593.bin
c3e9e254d4e6879cbc4b13e763c17e6acb3168a60505aa6de24c868356e62d5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C593 5460 bytes
font_01_sfnt_off0002d83a.bin
8d2bf6295d11cc3a301006ab8ad06f6030235cc9e9b7344e092e9c3a18775fe7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D83A 2520 bytes
font_02_sfnt_off0002e35d.bin
e3965a1e8b35c3ec0b715101739c8eb1b40e689fb8697b2fe225a267ba5741cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E35D 14724 bytes
font_03_sfnt_off00031192.bin
2c017707c481b62a0d714f5fa8c7fa4e84804a522255c690e1bc271eb0f1e41d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31192 17092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.