Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7f6a0e1386d4e91…

MALICIOUS

PDF

87.0 KB Created: 2021-04-05 13:05:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: 2935002e05afb827ea8ecfc70a25f339 SHA-1: 5511e189e7e6a11f30a1181326aa81defcbfbd39 SHA-256: e7f6a0e1386d4e915ed203b22448136e23c9ac6425e9249c32bd6ede7fad31b6
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely for credential harvesting or further malware delivery. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest a phishing attempt disguised as research material.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=case+study+sample+research+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4459188/normal_5fedd484e13c0.pdfIn PDF document text
    • http://testrun.ru/irregular_stem_changing_verbs_spanish_preterite6pn5a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481999/normal_5fe117013a101.pdfIn PDF document text
    • http://lnstagrambusiness.com/heat_forming_pvc_sheetdkioz.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4460231/normal_5ff9c0808b109.pdfIn PDF document text
    • http://kabuzajo.22web.org/sixoju.pdfIn PDF document text
    • http://mikrotikwizard.com/6589575355j8owg.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/654a22b2-17b9-4b87-a46a-5d0d50ffb064/musasonobisivajazesixu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e711970-327b-402e-8f2d-a8acd39151d0/grammar_quiz_grade_6.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e94bf299-dd21-46de-9ed3-d7f9e039d53c/mossberg_930_review_2019.pdfIn PDF document text
    • http://gaxokumixopo.epizy.com/af_meritorious_service_medal_template.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa5f54a6-8acd-40e0-ad01-6996e7091751/here_i_am_lord_sheet_music.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c66e3246-58ee-4019-b950-1f8b303beeb2/how_many_bookshelves_are_needed_for_an_enchantment_table.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4cb52eb4-babb-4948-bd96-360738078136/xolorisilufaxuloditab.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9f30dfff-1ddd-4ad8-a575-ed7c45093973/how_to_improve_programming_skills.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c9f57daa-c16d-4cf1-9f4f-9362262ed084/guitar_chord_progressions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9dab48d6-cb5c-4f85-98b5-6d6b03bc91d7/how_to_gift_wrap_diagonally.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/87975c92-6dd0-48c1-b341-323252a06173/sony_a300_camera_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92539a3f-e7a5-4ed7-b80a-78f06cda5499/finite_mathematics_and_applied_calculus_7th_edition_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ba4ef0bd-074e-4324-9e9b-ba1e1d8a3186/95177035975.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/38186c20-4349-405c-a5ad-7dbf88bb18db/1920778416.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010b10.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10B10 5136 bytes
SHA-256: 53b285d7d8588974965001255fb2b9ac6b9db0baea6fd76a69a84d2704654918
font_01_sfnt_off00011c90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11C90 10768 bytes
SHA-256: 06b9b3f4f42c1ff926bd8f970305ab4601666e74c18c434d6c5b239272f08a7b
font_02_sfnt_off00014155.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14155 4324 bytes
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34