Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9c6acbd5386acc8…

MALICIOUS

PDF

180.0 KB Created: 2020-12-16 13:51:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 80f8b8883e38aeb4b219cc1f9159060d SHA-1: ba86baa474357b768324ef0bb8be3ab5d99f561b SHA-256: e9c6acbd5386acc827c45a9c7af8e63a588d1939cb0939f44e003c87115e2c49
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that mimics a search result, likely intended to trick the user into visiting a malicious site. ClamAV and an ML classifier flagged this PDF as malicious, indicating a phishing or trojan payload. No scripts were extracted, but the presence of an external URI and the ML detection strongly suggest a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/aws?utm_term=android+studio+3.+5+disable+instant+run
    • https://tidosivapozagul.weebly.com/uploads/1/3/4/3/134390518/xavosekamipo.pdf
    • https://jagamasukibo.weebly.com/uploads/1/3/4/4/134493784/659bcfd3063e23.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nakevoja/72949697171.pdf
    • https://s3.amazonaws.com/jiwisigetizoxif/dakota_hills_middle_school_eagan.pdf
    • https://s3.amazonaws.com/pewebopufupe/98029245905.pdf
    • https://s3.amazonaws.com/tadovu/72745235779.pdf
    • https://static1.squarespace.com/static/5fc0f186bda9c57a97be6d6b/t/5fc1d7207acac6192a046fe2/1606539041186/redline_ping_pong_table.pdf
    • https://static1.squarespace.com/static/5fc0f06b104edf1d7780fa74/t/5fc39568e6d49a06bb00db7c/1606653288607/vakuzulu.pdf
    • https://s3.amazonaws.com/dotivaf/opera_browser_for_windows_10_pc.pdf
    • https://s3.amazonaws.com/lunojol/62798555407.pdf
    • https://s3.amazonaws.com/nitirew/59343341172.pdf
    • https://s3.amazonaws.com/zuxadol/bifamigovevasoxomas.pdf
    • https://s3.amazonaws.com/gavexilatuvitaz/banished_imdb_parents_guide.pdf
    • https://s3.amazonaws.com/tigewibejageju/liver_av_malformation_radiology.pdf
    • https://uploads.strikinglycdn.com/files/05fa4619-c820-457b-b223-c0fd7224654d/free_iptv_apk_for_android_tv_box_2019.pdf
    • https://s3.amazonaws.com/fejakixoweka/56201513910.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000286cd.bin
c0f9e97ae2475264f83289eab6e5d3eefee8a5cd4420a167e4112c9a84335f8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x286CD 5268 bytes
font_01_sfnt_off000298cb.bin
4fedbf49351e66f86c8e254761475d8a1198c91659c40b869e3053a724562858		 pdf-font-stream PDF embedded font (sfnt) at offset 0x298CB 12040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.