Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed236a856d66a907…

MALICIOUS

PDF

70.9 KB Created: 2021-04-04 18:02:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cfaa636b5c5bf83749b4511cffe0f54f SHA-1: 2a1a587d32073adb8bc8d831d53416bc8ef3451e SHA-256: ed236a856d66a907dcc28683acebf68e177d5e7af12db71880adb21bc3f383c4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF was flagged by ML classifiers and ClamAV as malicious, indicating a high likelihood of malicious intent. It contains embedded URLs that point to suspicious domains, suggesting it is used to redirect users to phishing sites or download further malicious content. The presence of PDF_URI and EMBEDDED_URL heuristics further supports this, indicating the document's primary function is to facilitate access to external malicious resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/strik?utm_term=love+text+png+black+background
    • http://datiwufirul.medianewsonline.com/evening_snacks_recipe.pdf
    • https://cdn.sqhk.co/remonupode/ibWiiid/nfl_sunday_ticket_roku_student.pdf
    • http://zelumefepa.sportsontheweb.net/modern_business_process_automation_download.pdf
    • https://menuzuxa.weebly.com/uploads/1/3/1/0/131070619/4bd68c0546.pdf
    • http://rumurel.mywebcommunity.org/adaptive_control_astrom_wittenmark.pdf
    • https://zepafasamog.weebly.com/uploads/1/3/4/3/134361306/9520188.pdf
    • https://cdn.sqhk.co/tezakagadol/lgihblV/fun_literacy_activities_for_3rd_graders.pdf
    • https://liwavijej.weebly.com/uploads/1/3/4/3/134379327/vijojizuvabenofot.pdf
    • https://fikobovivinuzo.weebly.com/uploads/1/3/0/7/130739062/miwufefinisu.pdf
    • https://subijiderekura.weebly.com/uploads/1/3/4/6/134616270/ec40fc1329f25.pdf
    • https://safasisi.weebly.com/uploads/1/3/4/4/134472516/jusowevupi.pdf
    • https://cdn.sqhk.co/gapebeve/geajdjg/kajubis.pdf
    • http://lofoporubatul.mygamesonline.org/a_user_s_guide_to_the_brain.pdf
    • https://cdn.sqhk.co/kidatufo/ZgfNKzz/gezisekerubesawapotewat.pdf
    • http://bulakirip.getenjoyment.net/merepibumigimujosutuwibuj.pdf
    • https://zovijopafirol.weebly.com/uploads/1/3/4/6/134630452/4b63e95b8f34.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://seroritubofa.atwebpages.com/56777489343.pdf
    • https://uploads.strikinglycdn.com/files/b24e1e0a-72b3-49fa-b9d1-ba6b2e285908/fekalakenaxabamomebafaw.pdf
    • http://vumamuv.myartsonline.com/what_is_doubt_a_parable_about.pdf
    • https://uploads.strikinglycdn.com/files/eebbcce6-d1a4-4853-858c-05b8bf6a94d6/17058418259.pdf
    • https://uploads.strikinglycdn.com/files/0093cfa1-d466-4e74-9dc2-b58947084273/what_drinks_does_taco_bell_serve.pdf
    • http://nosigegu.onlinewebshop.net/concierto_de_aranjuez_trumpet_solo.pdf
    • https://uploads.strikinglycdn.com/files/0a720aac-f9ee-4982-ab4c-bf349d6123f9/29017633817.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da4a.bin
d8e51f32ee618de0d4336db981c053a65c2405c365f70cf218311f0a954bd708		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA4A 5336 bytes
font_01_sfnt_off0000ec86.bin
8467f9b21138b44359ea4e5ac046b93e8e833f6ffe4a1976b47c5f08a6617ba8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC86 9968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.