Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6e99134962cac3d…

MALICIOUS

PDF

71.9 KB Created: 2021-03-11 15:41:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f26d5cf2f866f9da24f640c16179f43f SHA-1: e9a9d04e9ff078184075b802054b8d94741bd0c4 SHA-256: d6e99134962cac3d9c6a91adceeff1cdc64f86a4e58216efe25a34a54e690705
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URL, identified by heuristics and ClamAV as malicious. The ML classifier also strongly flagged this PDF. The embedded URL, 'https://jumiwimov.ru/wix?keyword=calculating+bmi+worksheet+answers', suggests a lure related to a worksheet, likely to trick users into clicking and potentially downloading further malicious content or submitting sensitive information. No scripts were extracted, but the presence of malicious URLs and strong heuristic detections indicates a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=calculating+bmi+worksheet+answers
    • http://powerhdniy.space/96808960585rd47g.pdf
    • https://cdn.sqhk.co/feletitami/gg2Rc1q/descargar_lollipop_screen_recorder_uptodown.pdf
    • http://ru-payment.casa/52121599971g6bux.pdf
    • http://kedepoba.sportsontheweb.net/79892787621.pdf
    • https://fatitabo.weebly.com/uploads/1/3/4/7/134757356/nuriwaxiboka.pdf
    • http://help-copyrighteamservice.com/jifesawavatijafalet23kie.pdf
    • http://raxewaponoxiv.mygamesonline.org/kenmore_dishwasher_manual_troubleshooting.pdf
    • https://nolegajaji.weebly.com/uploads/1/3/4/5/134519786/29d21beeab1e.pdf
    • https://cdn.sqhk.co/mibajufaneja/jnmyhgD/54006725911.pdf
    • https://tebideronapiza.weebly.com/uploads/1/3/1/4/131483209/523480.pdf
    • http://raxewapikeb.mygamesonline.org/economic_risk_in_international_business.pdf
    • http://zegererevez.medianewsonline.com/brandon_marshall_boxing_record.pdf
    • https://cdn.sqhk.co/gobajejuz/jd4jjhi/75731639053.pdf
    • https://cdn.sqhk.co/forinabam/hvjcgjn/abc_chinese_english_dictionary.pdf
    • https://cdn.sqhk.co/tabuguran/Nl9gf44/91648423426.pdf
    • http://slampochka.ru/download_revheadz_engine_sounds_full_apkcocxb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5cdff966-bad0-4b76-8744-6b673e8772e0/videgixojanefemirololude.pdf
    • https://uploads.strikinglycdn.com/files/c0e389fd-b252-4547-b9c8-143067552aeb/command_prompt_commands_windows_10_change_directory.pdf
    • https://9387bd13-3746-4408-b474-2867f26e464d.filesusr.com/ugd/ace02d_c83f0b2d9c924d85ba0c23c7be2fe361.pdf?index=true
    • https://1923692e-f727-4f58-80a8-3583160180e3.filesusr.com/ugd/c4ccc4_1fdd98d217b14e7f893090a08fc6192c.pdf?index=true
    • http://duziroro.myartsonline.com/sony_fs5_mark_ii_price_in_hyderabad.pdf
    • https://uploads.strikinglycdn.com/files/180f4e76-1023-4f27-ac5a-1307b46fffed/19912124111.pdf
    • https://9e1b5e4e-b4ab-405b-8fdf-b3b6d7b19c28.filesusr.com/ugd/94ea38_1cdb307201834635aa59cd60bf00a7df.pdf?index=true
    • https://uploads.strikinglycdn.com/files/94373c9f-68b8-49b2-993d-0a4e2e961de1/76648929571.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc5f.bin
262cdc6d4fc27a454748c1e0583dd22467df25cd5eea59dc71b3e7e0207e7b01		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC5F 5416 bytes
font_01_sfnt_off0000eeae.bin
6fa3dabcde025ba2c6abdb5bd91d4fe5db2526e04cb715b820031b5bd9fb90ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEAE 10264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.