Malicious PDF — malware analysis report

Static analysis result for SHA-256 e436c19d44d49e59…

MALICIOUS

PDF

162.4 KB Created: 2021-03-16 09:39:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e3bc25082697bc283daacf2f553e7220 SHA-1: 7fa97831a1d5ea5ec33ee4ca1ac2622a30ff88a9 SHA-256: e436c19d44d49e59abe5b1cf3e3c4c8794d075d8c0535340b13702047b2413b3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. The ML classifier and ClamAV detection further support its malicious nature. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site, likely for phishing or to download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9930

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=ohio+license+plate+county+numbers
    • https://balikawe.weebly.com/uploads/1/3/4/6/134659528/8035365.pdf
    • https://cdn.sqhk.co/xamitarerivu/ebhfjhW/xufufatiru.pdf
    • https://rajepejejema.weebly.com/uploads/1/3/4/8/134860913/4442f158.pdf
    • https://cdn.sqhk.co/botikavanov/mU1cPUO/xuledigovu.pdf
    • https://resigigemi.weebly.com/uploads/1/3/5/3/135326159/zefukifadiwoza.pdf
    • https://dapalirodo.weebly.com/uploads/1/3/1/4/131483520/sesepeb.pdf
    • https://kibasixeb.weebly.com/uploads/1/3/1/4/131438563/watosovavevazid-gatavobevaja-ruvikom-favogebuf.pdf
    • https://cdn.sqhk.co/miviterul/jmPlZCO/fifa_world_cup_men_s_soccer_schedule.pdf
    • https://keminozabigorez.weebly.com/uploads/1/3/4/8/134886120/juwovidonizaxow.pdf
    • https://cdn.sqhk.co/bitizulokiva/fijfpjh/notification_tone_iphone_x_download.pdf
    • https://dubiriji.weebly.com/uploads/1/3/1/4/131406762/7558634.pdf
    • https://cdn.sqhk.co/vilonunufuk/ghchjMy/offline_video_call_app_download_apk.pdf
    • https://cdn.sqhk.co/fefuxumito/GUHcggo/60408813325.pdf
    • https://jiwepurojal.weebly.com/uploads/1/3/0/7/130775762/devalomabozabojozuf.pdf
    • https://rojukekodeb.weebly.com/uploads/1/3/4/6/134682316/3e3b29a4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://70fbc5f3-53e4-4072-9ff7-a5862d19847b.filesusr.com/ugd/bb3bf9_39dd13fea1bd4721b3117dc7c3fae071.pdf?index=true
    • https://71a0d42b-91d5-4e94-9338-ff69ca8a624b.filesusr.com/ugd/e5d5e5_cd4340f9b2724830aaaaef047891ede7.pdf?index=true
    • https://1a6defe7-92a0-4357-8a70-d3bce85d30c9.filesusr.com/ugd/385065_f9fb877962364712aa74885046d82b62.pdf?index=true
    • https://d21da297-2d1c-4020-882f-059d99c29dc9.filesusr.com/ugd/3724a2_cce44a9134f74f77bb821599c44a3a92.pdf?index=true
    • https://ab60d57a-1f92-408f-9079-0b325776b613.filesusr.com/ugd/724fb5_2dfb7c38ac6e402bb7f0e13abe8ebf48.pdf?index=true
    • https://9de673a2-3b8e-40eb-bbf5-c0ad8e71a3da.filesusr.com/ugd/bd5c68_844a0bd3e1a04f12814a7440410a2b9d.pdf?index=true
    • https://1482387f-61d8-47e1-b538-9b7f1e8b89fb.filesusr.com/ugd/538d67_b8ba34438ab346faba6d28d1b8faba55.pdf?index=true
    • https://7f3356c1-ec1f-498a-9d41-5b36c14d87b7.filesusr.com/ugd/98d33d_d06024558e3b4191ab055a258c0f8b0b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000206ef.bin
adde2e031afd8a9e8c5bc177fe45df5b93440e87dba974e78baaf58c72035e9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x206EF 4692 bytes
font_01_sfnt_off00021750.bin
850c0d40b28c255201aa5313b0843246daf52e25ab42fb83e90af7e77458f325		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21750 5444 bytes
font_02_sfnt_off00022967.bin
c7f01abd1669703e4a9e0f50d40ead38cba41c6bc680a6d9eec5501137af4ab7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22967 3420 bytes
font_03_sfnt_off00023605.bin
265a19a818dec6fecaecfbcbbba5bda9a5d1340b5969212c15e9737373015847		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23605 16056 bytes
font_04_sfnt_off000266fb.bin
5d72d630640305d452d914085fd6c65e0d8125198bed8028c282d44fd0327be8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x266FB 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.