Malicious PDF — malware analysis report

Static analysis result for SHA-256 e648aa4d0850679f…

MALICIOUS

PDF

69.1 KB Created: 2021-03-16 22:41:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 691f24f2147d8166bd050ffd029389c7 SHA-1: c4cfdfc00c242067946b56c8f78b5438d0d17c5e SHA-256: e648aa4d0850679fcd464f28c2246c62610d4275b3432e23f64fb8ef377a9163
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. ClamAV detection and ML classification further confirm its malicious nature. The presence of an external URI suggests an attempt to redirect the user to a malicious site, likely for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=words+start+rem PDF link annotation
    • http://xorimomupajo.scienceontheweb.net/57281857294.pdfIn PDF document text
    • http://wow50.pro/ginajakibosrzfy3.pdfIn PDF document text
    • http://kuzexamipapoxip.medianewsonline.com/kiroles.pdfIn PDF document text
    • https://mumifigade.weebly.com/uploads/1/3/4/3/134314269/daxos.pdfIn PDF document text
    • https://natulawud.weebly.com/uploads/1/3/4/3/134309077/409d95f9c1b3.pdfIn PDF document text
    • http://zuvalasit.mypressonline.com/3691571108.pdfIn PDF document text
    • http://fruits-summer.fun/paragraph_of_the_weekwihao.pdfIn PDF document text
    • https://wixepivod.weebly.com/uploads/1/3/0/7/130775856/07eeae6.pdfIn PDF document text
    • http://mutetufowikujib.22web.org/97989567306.pdfIn PDF document text
    • https://dewufore.weebly.com/uploads/1/3/4/8/134857007/xasapaminuloxal-bowawerizabaf-zozuzevij.pdfIn PDF document text
    • https://tuboxivodase.weebly.com/uploads/1/3/4/3/134387713/8b5e60a4.pdfIn PDF document text
    • http://mp4.design/groupon_merchant_center_italiac15pb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://varijaponinaza.rf.gd/bedofugajukupo.pdfIn PDF document text
    • https://s3.amazonaws.com/kosipefojaw/moxadalunijow.pdfIn PDF document text
    • https://s3.amazonaws.com/jedadokuti/medemeta.pdfIn PDF document text
    • https://s3.amazonaws.com/fodose/4014459229.pdfIn PDF document text
    • http://gixejemazob.myartsonline.com/los_verbos_ms_usados_en_ingls_en_todos_sus_tiempos.pdfIn PDF document text
    • https://s3.amazonaws.com/wapabefizosumi/dad_s_army_theme_song_sheet_music.pdfIn PDF document text
    • http://lurarapekakaka.atwebpages.com/16573336016.pdfIn PDF document text
    • http://judiserod.onlinewebshop.net/chess_openings_book.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d244.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD244 4952 bytes
SHA-256: bf2eb33b7dd4c7a8013d73e6cda3eb30719170183866c32057a20ef72e6d9574
font_01_sfnt_off0000e30e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE30E 10816 bytes
SHA-256: 7dc3a68eae13b84d738784f05b5d682fa4895e88dab670dcb9b4b2f01a084b8f