Malicious PDF — malware analysis report

Static analysis result for SHA-256 d74d264a2757cd6e…

MALICIOUS

PDF

79.1 KB Created: 2021-03-22 10:33:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9f9c26f1065d3dcf1a96a9b16d847040 SHA-1: 5ef3af455f1936e8a991f70cba0a7ffba3acda8c SHA-256: d74d264a2757cd6ef92726429612459159b412e5e51d2f2556663da2eed8e69f
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating it is malicious and has been flagged by ML classifiers and ClamAV. It presents a lure for a free textbook download, which is a common phishing tactic. The embedded URL points to a suspicious domain, likely serving as a download source for a secondary payload. No scripts were extracted, but the PDF structure and embedded URLs suggest a phishing attempt to trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/award?keyword=aircraft+structures+for+engineering+students+6th+edition+pdf+free+download
    • https://cdn.sqhk.co/bexefoboxevi/gdNPSid/horizon_drift_tune.pdf
    • http://front-glass.website/543338075510i0ff.pdf
    • https://cdn.sqhk.co/dutaxato/jdyjjKp/battleground_survival_game_apkpure.pdf
    • http://phtech.site/roman_breviary_baronius_pressd06c6.pdf
    • http://academic-club.ru/taurus_pt111_g2_rear_sight_replacementj7v1s.pdf
    • https://cdn.sqhk.co/pasivuzuke/g0CMFzN/ninja_dash_run_2020_mod_apk.pdf
    • http://kersita.space/26297174480ifkye.pdf
    • https://static.s123-cdn-static.com/uploads/4388824/normal_6005831d9840b.pdf
    • http://goproonly.com/entry_level_android_developer_jobs_in_singaporelrfhs.pdf
    • http://flipping-car.online/what_does_memento_mori_unus_annus_meantxdln.pdf
    • http://1xbet-regi.site/42570579297tyx3z.pdf
    • http://reduslim-buy.site/hot_wheels_apple_id_bone_shaker47u3m.pdf
    • http://ihsteam.ru/boss_audio_bv9386nv_steering_wheel_controls03zru.pdf
    • https://cdn-cms.f-static.net/uploads/4373504/normal_600a955944daa.pdf
    • https://cdn.sqhk.co/nupozifulija/ji0ggjC/converting_between_metric_units_worksheet.pdf
    • http://p-kavkaza.ru/bajrangi_bhaijaan_all_songs_free_320kbpsqern4.pdf
    • http://bitsracing.net/why_is_my_phone_stuck_on_the_lg_screenacwk4.pdf
    • http://goproonly.com/8839716821p42du.pdf
    • https://cdn-cms.f-static.net/uploads/4378621/normal_604b2b5abe38c.pdf
    • http://vykupavto54.ru/topedijazugugenxq981.pdf
    • https://cdn.sqhk.co/geroterunetu/ijgjigk/video_status_market_sad_song.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3da7c798-d775-4179-a217-f2ebf98a8fd9/fewufu.pdf
    • https://uploads.strikinglycdn.com/files/d5ca879b-66a7-4946-83ae-a50065c9b53e/sidewifususevosomi.pdf
    • https://uploads.strikinglycdn.com/files/628a5c6a-1969-4337-a61e-98a614589c8d/rexton_smart_connect_app.pdf
    • https://uploads.strikinglycdn.com/files/9b4f60b2-d867-441f-8ce9-7d5c6a564569/finuxebebexid.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f55c.bin
e2ce74ed78b5771cdec1b2983b87f6d3d4387a213c1e9a6f4ed4d354a31e9faa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF55C 5652 bytes
font_01_sfnt_off000108a4.bin
a1084d2db0f5c87569b2df39c0fe501880c904f5fdc1cd4772a5856f0e6f452d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108A4 10828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.