Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5d2c9c5d84660a7…

MALICIOUS

PDF

102.7 KB Created: 2021-06-01 13:16:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0b719b48dd922f8a07f1a6d5a5fb37a9 SHA-1: d83264462ee962bc401b60ba9067c9f2ae40de06 SHA-256: e5d2c9c5d84660a7ad4dd4e575e6d2161829d8f91be1c494fcd2606d816dffec
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains embedded URLs that point to suspicious domains, suggesting a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the presence of external URIs and the overall detection by security tools point towards a phishing lure designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=ziarat+e+warisa+full+pdf
    • https://www.latentoac.com/portal/wp-content/plugins/super-forms/uploads/php/files/tgohptou2ks8b1ob1guoruqt7t/79347667318.pdf
    • https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/b9757cij7729ugi64tt85c14jv/52852609256.pdf
    • http://www.skup.it/wp-content/plugins/formcraft/file-upload/server/content/files/1607fda30b8fa7---xabomonuniralumujefal.pdf
    • https://izharfoster.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fcaaa495b6---12829119054.pdf
    • http://associacaoguainumbi.org.br/wp/wp-content/plugins/formcraft/file-upload/server/content/files/1608365d73fbfe---gebafisebow.pdf
    • http://baanpowertrain.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098ae9c057db---tegajotabudoritogikuduvi.pdf
    • https://getlovebooks.com/wp-content/plugins/super-forms/uploads/php/files/e90ae0e7c2eae1dd48f5f2d936c8d92e/duwewijoluwafazigujefug.pdf
    • https://maidintown.co.uk/wp-content/plugins/super-forms/uploads/php/files/bea01ab749ed15a4a41fc25ac4deeb20/78281380826.pdf
    • https://schreinerheusi.de/wp-content/plugins/formcraft/file-upload/server/content/files/160acd2ad43c87---41994803038.pdf
    • https://sip7.pl/autoinstalator/sip7.online/wp-content/plugins/super-forms/uploads/php/files/ec9bff9085755dbe84a36ea2df9d3c07/14862876792.pdf
    • http://for-rent-aalst.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a2ad639313e---66937433733.pdf
    • http://drinkandshrink.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16086cbf9eb3c9---8448762641.pdf
    • https://jclifeschools.org/wp-content/plugins/super-forms/uploads/php/files/45ebffbfffdc3faa6917d35056c0f545/31215487581.pdf
    • https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/o0mu0v3mht84ev9ckj3gq5begs/tizomividamarij.pdf
    • http://www.peplex.it/wp-content/plugins/formcraft/file-upload/server/content/files/16070854bd186c---95752108035.pdf
    • http://claudiodauelsberg.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607b57ca951a2---zedugoweje.pdf
    • https://www.golddustdental.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e0e3ab0898---33309776133.pdf
    • https://nobleanimalsanctuary.org/wp-content/plugins/super-forms/uploads/php/files/tmp/35554400214.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00014d31.bin
85badca121837de6cb1c01ce734388a1a4a1702b57a761f4eaccecd62ced734d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14D31 26420 bytes
font_00_sfnt_off00010e48.bin
ef3648a5fe7920acc04663d7540f34f272ee1220281792b72e6994a7ef33a8fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E48 3048 bytes
font_01_sfnt_off0001192a.bin
099f875248e82457a79b1dd526d940bc8b2faaddfaff62746aa6dfab878cb6eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1192A 4748 bytes
font_02_sfnt_off00012970.bin
14b1b0e95a0c3e0012922aff775d7a7f44d6261d5682d3e590071c4b1359a672		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12970 10488 bytes
font_04_sfnt_off00017d1f.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17D1F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.