Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5c99cf020b385ea…

MALICIOUS

PDF

149.9 KB Created: 2021-03-14 03:31:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc62fa18b55f8572fc8d04b05f52022e SHA-1: 1c6309f4e463d005595dff0db88a26e48e503035 SHA-256: e5c99cf020b385eadcc95b90190fd8bca4c884f81794dd4c0633a07ca05e4de4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded URLs that are likely part of a phishing or malware distribution scheme, masquerading as a technical datasheet. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the presence of multiple suspicious URLs suggests the document is designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=cisco+catalyst+c9500-+16x+datasheet
    • http://1xbets-regs.site/27638326634apgvj.pdf
    • https://cdn.sqhk.co/gukugifixija/id2gihb/monster_truck_toys_big.pdf
    • https://cdn.sqhk.co/gavezexu/hSQLOpi/84569384971.pdf
    • https://cdn.sqhk.co/nezerozara/LKjgHjb/23395014427.pdf
    • https://cdn.sqhk.co/falugojafat/xzaIiis/mini_basketball_hoop_walmart_in_store.pdf
    • https://cdn.sqhk.co/fuluzagile/hizPiak/yeti_pro_microphone_amazon.pdf
    • http://sibuvre.com/bhajan_aarti_ringtonefmxyz.pdf
    • http://www-sfr-fr-monespace.com/why_is_my_toastmaster_coffee_maker_not_workingdn8mm.pdf
    • https://gixujadimi.weebly.com/uploads/1/3/4/7/134708567/3f73ba10c.pdf
    • https://cdn.sqhk.co/rivogigaweb/jgiiNib/survivor_exile_island_cast.pdf
    • http://prizinsta365.website/pokemon_insurgence_walkthrough9lccc.pdf
    • https://sadaxolofomet.weebly.com/uploads/1/3/1/4/131453623/nitinulek.pdf
    • https://rowusebejaron.weebly.com/uploads/1/3/1/6/131637242/muwopaw.pdf
    • https://kinojapi.weebly.com/uploads/1/3/2/3/132302846/da650e5f72196c.pdf
    • https://cdn.sqhk.co/goponebegor/iJSNTTs/62270221417.pdf
    • https://cdn.sqhk.co/pewowutefiw/bFgirhe/sim_card_network_locked.pdf
    • http://repair-planshetov.ru/99087665258hsxz6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/81ed1029-569c-4f24-98f3-343aeecd19b6/how_often_to_change_oil_on_2019_vw_tiguan.pdf
    • https://uploads.strikinglycdn.com/files/7979170e-67fa-4226-a459-703d9db6a7e5/basic_geometry_terms_crossword_puzzle_answers.pdf
    • https://uploads.strikinglycdn.com/files/4a0b98c3-5d3e-4e08-8cb2-bc689bcbefbf/where_can_i_get_a_singer_sewing_machine_repair.pdf
    • https://uploads.strikinglycdn.com/files/66b5a0a3-c7e3-49bb-91e7-6a6296daa8b6/xaminafegeganewufivazope.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001dc70.bin
3f68079fb4df3032d7e6d44421c89ed4dc10dd16653f0019cd47d2b28c50f562		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DC70 5464 bytes
font_01_sfnt_off0001ef22.bin
529c9d64db6f0dd3a3fd1e34bfca44879261ac67ffe15d957209e716a62e002d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EF22 21180 bytes
font_02_sfnt_off000223a0.bin
d6354e55a0ef37be0a61ea5c81a5777e0d3d2e8edb3ff3de3a4eaf5ff52a9aaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x223A0 16348 bytes
font_03_sfnt_off00023977.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23977 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.