Malicious PDF — malware analysis report

Static analysis result for SHA-256 e782705facde0c10…

MALICIOUS

PDF

84.5 KB Created: 2021-04-01 18:15:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2f5dbd8b4ea289dc9d0af4ddda3094fa SHA-1: 9da7e417ab9754e28cff3945f9872c4d9f0c77b5 SHA-256: e782705facde0c10fd574a15e6aa18f779a08dd6e27a06438275209f050ab107
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1539 Steal One-Time Password

This PDF document was flagged by ClamAV as a phishing trojan. Heuristics indicate it is a lure for MFA or one-time code harvesting, likely to steal session tokens or credentials. The embedded URL `https://xezojetit.ru/123?utm_term=aadhaar+card+duplicate` suggests a phishing attempt related to identity documents.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/123?utm_term=aadhaar+card+duplicate
    • https://cdn.sqhk.co/makulowujip/hjejcOY/26691784683.pdf
    • https://static.s123-cdn-static.com/uploads/4387046/normal_5ff2f0f5813e5.pdf
    • https://cdn.sqhk.co/kivipemo/CBzRJjj/4831920716.pdf
    • https://cdn-cms.f-static.net/uploads/4384037/normal_60432779bab85.pdf
    • https://static.s123-cdn-static.com/uploads/4459625/normal_5ffae7d3659b0.pdf
    • http://futajef.medianewsonline.com/sakifatopubonenike.pdf
    • https://cdn.sqhk.co/fatepotax/ho6Hgcc/86967408384.pdf
    • https://cdn-cms.f-static.net/uploads/4459058/normal_5fe975cd9e933.pdf
    • http://pawezujexas.mywebcommunity.org/characteristics_of_athenian_democracy.pdf
    • http://ipoteka.net/43252854409nr82h.pdf
    • http://yazansoft.com/gomasisixemogolitogunuj1viyq.pdf
    • https://cdn-cms.f-static.net/uploads/4380699/normal_605df37525f2c.pdf
    • https://cdn.sqhk.co/tomubozes/t6hgGgc/business_proposal_writing_sample.pdf
    • http://jawazapefaxuzit.mywebcommunity.org/green_revolution_file_download.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/d3e8ce84-3917-4afc-8b57-c46c11582cbd/77104457759.pdf
    • http://gitodake.myartsonline.com/pojowesom.pdf
    • https://uploads.strikinglycdn.com/files/169a6520-99fc-45e3-bb2e-629d33184a28/tisewokefenogivorev.pdf
    • http://xutenujute.myartsonline.com/glossary_of_mathematical_terms.pdf
    • https://uploads.strikinglycdn.com/files/e4e58aa8-62e9-4159-95cd-c441180a14c6/fofexuzezavarapugekati.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9c2.bin
6a686c4e42163114b798e77b05ff41d2047b624e7c400f29c5a0e28b99d9b281		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9C2 4972 bytes
font_01_sfnt_off00010aa6.bin
0c6386e2fa1713815c83bafb4824f7a2d3308ad23bc484dda8849730e943c366		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AA6 10820 bytes
font_02_sfnt_off00012fa8.bin
1228951d8b8afd19f708f6c25db439dc930da3ce97d088843285cfc35a7e79ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FA8 5864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.