Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbcc85a42c0220c9…

MALICIOUS

PDF

97.4 KB Created: 2021-05-14 20:40:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fc967ec3a84ff5c327f4cff954ac53d9 SHA-1: 5e1301392e5e73127847f5e68fac08b26f887f30 SHA-256: dbcc85a42c0220c9cc1c6b4f28723af406542b103bb7d2faf2eea2c5ff56649b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains an embedded URI pointing to 'xajibur.ru', which is a strong indicator of a phishing or malware distribution attempt. While no scripts were explicitly extracted, the presence of embedded URLs and the overall detection suggest the document is designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/strik?utm_term=naz%25C4%25B1m+hikmet+%25C5%259Fiir+kitaplar%25C4%25B1+d%2526r
    • http://mitatizizuje.mypressonline.com/how_to_get_stuck_bowl_off_kitchenaid_mixer.pdf
    • http://sakulog.sportsontheweb.net/10435044260.pdf
    • http://kakolamilasaru.medianewsonline.com/78001001745.pdf
    • http://pigigozoruda.mypressonline.com/hamlets_mill_book.pdf
    • http://korogesubelokut.mypressonline.com/lefab.pdf
    • https://cdn-cms.f-static.net/uploads/4451760/normal_6041a6abc7076.pdf
    • http://mobutadaxez.medianewsonline.com/16575823817.pdf
    • https://cdn-cms.f-static.net/uploads/4366357/normal_6028206abeb07.pdf
    • http://kakorezikudu.mypressonline.com/preparing_for_interview_questions_and_answers.pdf
    • http://disupiwalu.mypressonline.com/catalogo_redutores_cestari.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9953e07c-6ec4-4c9e-a642-a2733798d1f3/delia_smith_christmas_cake_almond_icing.pdf
    • https://uploads.strikinglycdn.com/files/35296e66-fc02-46b2-b8c9-5d94674bc819/77952982989.pdf
    • http://bukezodebas.onlinewebshop.net/fuworej.pdf
    • https://uploads.strikinglycdn.com/files/0119b450-86dc-40a4-82bc-602f181aedcc/cazadores_de_sombras_renacimiento_3.pdf
    • https://uploads.strikinglycdn.com/files/37a0a7a0-eaeb-4b90-af53-06c2c60af162/how_to_adjust_thermostat_on_rheem_water_heater.pdf
    • https://uploads.strikinglycdn.com/files/d352dcf0-70dd-4495-a325-9d74810ad74b/stamford_the_aleph_in_the_mirror.pdf
    • http://kuxubakelixuzot.atwebpages.com/slope_protection_methods.pdf
    • http://weparaxopulo.atwebpages.com/petis.pdf
    • https://uploads.strikinglycdn.com/files/059e8e70-c1c6-4b4e-b42a-4eb6c07403b3/fujorumiwodedofemovori.pdf
    • http://gegilifopom.myartsonline.com/is_effie_trinket_in_the_mockingjay_book.pdf
    • http://japinoxizidunub.myartsonline.com/denorakobibelefep.pdf
    • http://fukuselumetu.myartsonline.com/rovus.pdf
    • https://uploads.strikinglycdn.com/files/c910f96c-b0ad-410e-86ad-da07b6350adf/2011_dodge_avenger_mainstreet_price.pdf
    • https://uploads.strikinglycdn.com/files/dc4bbf67-e62c-4f46-a172-ac3ee1967ea7/jikitenonadabalolat.pdf
    • https://uploads.strikinglycdn.com/files/c144ab96-e606-46c3-a845-d6936614b644/58652164823.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013636.bin
f463cfab5bc14a905143abdeb2ede870cf889d7344557bc725059a8aedebdefe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13636 5384 bytes
font_01_sfnt_off00014864.bin
c65f2fd4fdedfd881c68b91e836a6e6c1795c03f41dfc98608d87d0889e8ea1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14864 15720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.