Malicious PDF — malware analysis report

Static analysis result for SHA-256 daf4165770b8a7a6…

MALICIOUS

PDF

73.3 KB Created: 2021-03-10 06:50:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: fd0f85119a8c9b14131af60df3a34778 SHA-1: da40713013360720b4f6de558c9fd1ad4b951ec7 SHA-256: daf4165770b8a7a6c222863833d1ea102e565be6a580c7343582babde59cdf36
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that mimics a search result, likely intended to trick the user into navigating to a malicious site. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest it is designed to facilitate phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=chemical+engineering+thermodynamics+pdf+notes PDF link annotation
    • https://cdn.sqhk.co/lidojuxuxiro/ichInii/new_york_company_near_me.pdfIn PDF document text
    • https://cdn.sqhk.co/purorelaz/8ghALic/xarekofuvataluw.pdfIn PDF document text
    • https://cdn.sqhk.co/kerametunal/TuAyjbH/bawaxud.pdfIn PDF document text
    • http://kixurox.getenjoyment.net/clasificacion_de_numeros_decimales_ejercicios_resueltos.pdfIn PDF document text
    • https://cdn.sqhk.co/vadavenaw/Rjd4agi/army_special_operations_forces_unconventional_warfare.pdfIn PDF document text
    • https://cdn.sqhk.co/zewumirapeb/U2Mjcia/swing_states_2020_vs_2016.pdfIn PDF document text
    • https://cdn.sqhk.co/wuwoxegolewa/gdjfX9L/mars_mars_cheat_apk.pdfIn PDF document text
    • https://cdn.sqhk.co/livisade/Ukhjihb/79919342456.pdfIn PDF document text
    • https://cdn.sqhk.co/novigigexuxo/hjj1ta8/galaxy_s9_ringtone_free_download.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/5a738e62-04b4-40b3-953a-413c5f68ffc9/numunama.pdfIn PDF document text
    • https://s3.amazonaws.com/wewiro/29069470131.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f379b0b4-2b6c-43f0-8d9a-5a23d02e9498/asus_m4a785td-v_evo_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27d6dff9-9dd3-448d-a437-198aa30be295/mathematical_analysis_first_course.pdfIn PDF document text
    • https://s3.amazonaws.com/povodijirig/37416326542.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ca8c9e24-ffd5-4666-ace7-c113ca45d2a7/lifetime_44_portable_basketball_hoop_assembly.pdfIn PDF document text
    • https://s3.amazonaws.com/rupatojuko/bollywood_movies_new_full_hd_free.pdfIn PDF document text
    • https://s3.amazonaws.com/kokesatodixon/wifoxaxiv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5fb0c6ab-54f9-441c-97b2-138305c1eeed/55892595965.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/79580b53-1726-49e3-9b07-118fd5425b65/69489475707.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/34e77221-94b6-469e-ae68-f62a71b6c910/stephen_king_latest_book_review.pdfIn PDF document text
    • http://forezepolutaju.onlinewebshop.net/kuveto.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5acc8031-8766-4b1e-9fe0-56d4bb3b7280/wordpress_prevent_user_enumeration.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e28d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE28D 5576 bytes
SHA-256: 6cd1937328de776c43967ef8f2e091cf44f7bd50ec8e2c3cd3ca9780d7874be0
font_01_sfnt_off0000f55b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF55B 10108 bytes
SHA-256: a5358dd6706ef82c35ad4b9b5be56baa3dda61d55b12625b9ee51d5f4ce5ed6c

Open this report in the interactive analyzer, or submit your own file for analysis.