Malicious PDF — malware analysis report

Static analysis result for SHA-256 de920af79ce92b3f…

MALICIOUS

PDF

185.5 KB Created: 2021-04-02 01:08:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60536de22ec2f7cc35c28e59af5be264 SHA-1: 4e791b4a85bd1037055461101c781e154e81cf16 SHA-256: de920af79ce92b3fbe1ed6e108fd1bd7cc2f1385c428a746a274cf8989b46234
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of multiple external URLs, including one flagged as suspicious, suggests the document is designed to redirect users to potentially harmful sites. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and 'Qt', indicating it was likely generated by a tool rather than being a legitimate document, further supporting a malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=android+sync+adapter+example+code
    • https://cdn.sqhk.co/xumupojamax/gfPBhaD/rc_helicopter_simulator_online.pdf
    • http://leseweremizew.scienceontheweb.net/76826392316.pdf
    • http://tryporte.xyz/sebuvemutuduninoforafyoxs9.pdf
    • http://alsamcctv.com/16307257344n3bay.pdf
    • http://ripugusulufiluj.getenjoyment.net/60353441091.pdf
    • http://sodalabs.pro/61937492276by4n2.pdf
    • http://discout.online/excellence_riviera_cancun_restaurantsqgbjy.pdf
    • http://japamawosoj.mygamesonline.org/raxafelerigojiti.pdf
    • http://sakabeg.iblogger.org/anlise_de_contedo_bardin_1977.pdf
    • https://cdn.sqhk.co/dagozuwemep/HaDhbij/umc_zorgverzekering_inloggen_digid.pdf
    • http://begdas.space/power_bi_template_designt90en.pdf
    • http://storezone.info/how_much_is_a_2015_honda_accord_starter5oz6d.pdf
    • http://hq-cleartv.info/the_yoga_republic_onlinesfi7g.pdf
    • https://cdn.sqhk.co/damukowabij/jbnBbhh/rusuriwiranazuzudivuged.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nigimul/kukojotesifuzuwoxewito.pdf
    • https://s3.amazonaws.com/sinamozagemoger/17869523078.pdf
    • http://kixarakukam.rf.gd/braun_coffee_maker_error_codes.pdf
    • http://fegumipidibig.rf.gd/20378185426.pdf
    • http://penobugixova.atwebpages.com/data_clustering_theory_algorithms_and_applications_download.pdf
    • https://s3.amazonaws.com/latufenaw/jelikupu.pdf
    • https://s3.amazonaws.com/niwotipugonuvoz/94977722243.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00027dbb.bin
19b1b19c9e2fa1b1ae8a0c91f0ae12fc59d1c4d64711568d24a54e9ff60ea1b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27DBB 5380 bytes
font_01_sfnt_off00028fff.bin
95176d747d82175ba8b027541a82849d8b38f61c3cfbdd01b20114b39d977846		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28FFF 19920 bytes
font_02_sfnt_off0002c28f.bin
fce1d3808ee41a5d7aba3ae2e43aab6724999d75495c80b4ec843f478561dfb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C28F 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.