Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5a97604d656c22c…

MALICIOUS

PDF

74.1 KB Created: 2020-12-21 03:44:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: caa99d90bcc9ebab52a1b752018d75dc SHA-1: 1fc372ba6aa1cd9c9333073ae847ddb1a294224a SHA-256: e5a97604d656c22c6b447d0b9b04b66796bf4e6d92c3fa63f6df2a443ef70f31
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that directs users to a phishing site disguised as a troubleshooting guide. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for credential harvesting or malware delivery. No scripts were extracted, but the presence of a malicious URL is a high-priority indicator.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/strik?utm_term=beats+solo+3+troubleshooting
    • https://static.s123-cdn-static.com/uploads/4404133/normal_5fcb47682d7b9.pdf
    • https://cdn-cms.f-static.net/uploads/4480905/normal_5fbc77ec3e4c8.pdf
    • https://cdn-cms.f-static.net/uploads/4481684/normal_5fade414829c8.pdf
    • https://cdn-cms.f-static.net/uploads/4501214/normal_5fb92f81daa1a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/d9ebed99-d030-497c-ba3f-e2f8379830ec/anatomy_and_physiology_terminology_p.pdf
    • https://s3.amazonaws.com/bajuse/manually_bootcamp_windows_support_software.pdf
    • https://static1.squarespace.com/static/5fbffb332bbd740658015355/t/5fc1d0f4e18c5c478e3e7d20/1606537460951/dragon_quest_builders_prima_guide.pdf
    • https://static1.squarespace.com/static/5fc54070c14dfd36fe0e2b11/t/5fcaa109ca7d212f763e6120/1607115017746/call_of_victory_hack_download.pdf
    • https://static1.squarespace.com/static/5fc51f41c30a162e0c6ddaa3/t/5fce323f05ddc9599d4c69b7/1607348800312/super_hero_squad_juego_stark_tower_defense.pdf
    • https://uploads.strikinglycdn.com/files/6f43fbd3-6291-49aa-bd90-12f23fa393e4/l_words_for_kids.pdf
    • https://uploads.strikinglycdn.com/files/a38b50d4-2b30-4ca0-8d64-18551ee131c9/wajikozazemavif.pdf
    • https://static1.squarespace.com/static/5fde97c9d0ff57695e6cefc3/t/5fded59215a11837d0b00738/1608439187157/tesco_festive_job_questionnaire_answers_2018.pdf
    • https://s3.amazonaws.com/dutimajizowa/77992369555.pdf
    • https://static1.squarespace.com/static/5fdc79b839866a15ab3def02/t/5fdcf07521bc3e145ee76f65/1608314998041/dosuletafosololow.pdf
    • https://static1.squarespace.com/static/5fc2a167cd1e280355df4762/t/5fc82682b74dd54858cd853e/1606952579631/jumping_monster_run_flip_master_unblocked.pdf
    • https://uploads.strikinglycdn.com/files/f2af6c82-f79b-40cd-9892-eca6c0ebc254/euro_truck_simulator_2_full_program.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc56.bin
6cf4f431754d7e02ec2531fce068e3441bbaa1e721f688c01fef21e65670d7b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC56 5180 bytes
font_01_sfnt_off0000ddda.bin
c11552f819352db998b71f269b26144d9d34073944b610192b6ad0fba9d0a266		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDDA 2212 bytes
font_02_sfnt_off0000e7eb.bin
c44c6587d4fb13ca3373dd57e32c7ec7e616af7dd16d11f7bf0e928db862f94f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7EB 10824 bytes
font_03_sfnt_off00010d09.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D09 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.