Malicious PDF — malware analysis report

Static analysis result for SHA-256 efcd2b3961720b05…

MALICIOUS

PDF

117.1 KB Created: 2021-03-28 20:22:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b2e99db6432f1f0b480e20ba4eadaef6 SHA-1: 6c6a832d893a91fb95be361317084f6d69c8cb65 SHA-256: efcd2b3961720b05ec04bc6873159827ea60af60985cc78cb9488e0764c05c43
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing purposes. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. The document body, though partially corrupted, suggests a lure related to online admissions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9940

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=aiou+online+admission+form+for+continuing+students
    • http://moshon.space/7539106125177qkk.pdf
    • http://alcozerox.com/161081997583gosf.pdf
    • http://mapovepajosoxub.iblogger.org/kanomokuzuxirufafexolare.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • https://s3.amazonaws.com/jepinebawo/78574349079.pdf
    • https://78e27e65-9996-4239-a63d-7a21722db537.filesusr.com/ugd/03f576_98b11d723dd04bc080ca196efe9f5097.pdf?index=true
    • https://cb705b04-a904-4f11-a6d0-9d7e2b1ae5cb.filesusr.com/ugd/53498d_123d1caaa6ac422ba06dffbe42c8087d.pdf?index=true
    • https://s3.amazonaws.com/jebokizez/guide_gravures_verres_progressifs_essilor.pdf
    • https://d70b1dc8-7d09-4148-9854-e6a7cae1b87b.filesusr.com/ugd/5899d5_d1de5205179e4e24b3d6ff2b19ffda99.pdf?index=true
    • http://rutegoba.epizy.com/lisofaxonowaditozag.pdf
    • https://s3.amazonaws.com/wobuzisibal/zte_axon_7_mini_review_android_authority.pdf
    • https://uploads.strikinglycdn.com/files/8a069c2e-408c-4498-84e3-9866236d90e8/star_trek_2009_song_car.pdf
    • https://uploads.strikinglycdn.com/files/cce33c4f-79f6-427e-b6bd-15f2ba3ae860/tales_of_demons_and_gods_manga_indo.pdf
    • https://9e2bb560-353e-4f5d-a08b-1363560edab4.filesusr.com/ugd/6c032c_2e0763368cdf46f6834b09468b9415cb.pdf?index=true
    • https://0e01c86c-6ad9-43de-bc04-b8819f410213.filesusr.com/ugd/73c254_3a844eb38417499aa8ceaba02cc8714b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/9b3f2869-3ba5-4448-ade5-37bc93072a0b/28687182780.pdf
    • http://bedekopezedegej.rf.gd/68191773439.pdf
    • http://gogewarixisude.epizy.com/pivevuseriwubamo.pdf
    • http://wibigaja.epizy.com/12820028782.pdf
    • https://uploads.strikinglycdn.com/files/bcd134c3-dded-441e-9999-afc942450cd8/spoon_river_speedway_facebook.pdf
    • https://uploads.strikinglycdn.com/files/d26bb5b5-d9f4-44c3-962a-d7404fd6de26/irrevocable_letter_of_credit_vs_bank_guarantee.pdf
    • http://lamekukibudinos.epizy.com/parallel_structure_worksheet_with_answers.pdf
    • http://mitegoma.rf.gd/verbal_analogy_test.pdf
    • https://s3.amazonaws.com/ronatiduzoxij/jojogofakibikuduj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013285.bin
82552974f694b53b064deb3ed15be42df5bd6eb7612725705532b7707ac120ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13285 6692 bytes
font_01_sfnt_off000142ec.bin
ac347e322be62f68bd605b91d5ce76cdf9cb44395299682b381286ecaccaf270		 pdf-font-stream PDF embedded font (sfnt) at offset 0x142EC 3460 bytes
font_02_sfnt_off00014f3b.bin
b5095b79b79caef601d5b4416073d70bdb874e73cd51c8af090ff071df0bcb9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14F3B 5212 bytes
font_03_sfnt_off000160dc.bin
56be4e8f2e8bb3f09f307bafa8afa79c0b73f35f769a9bf4a9f72c5b2170a527		 pdf-font-stream PDF embedded font (sfnt) at offset 0x160DC 13616 bytes
font_04_sfnt_off00018e56.bin
45b19a914a4437bbbf33d8f8bd07c3d6ca5c8a02b6b2ed9fae9eaeac5004118a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18E56 16540 bytes
font_05_sfnt_off0001a4f5.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A4F5 4324 bytes
font_06_sfnt_off0001b2f5.bin
697389ee72306878c10be918f605afe7353cb86d91494ef9a1158c2fa48096c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B2F5 4332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.