Malicious PDF — malware analysis report

Static analysis result for SHA-256 f21e4828d4528fa2…

MALICIOUS

PDF

78.2 KB Created: 2021-03-20 14:30:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2de71771ce818b33e5f59e07a7e8ad5e SHA-1: 7f48067290f8b7e6aa9949abb6d1cb0c25b5426c SHA-256: f21e4828d4528fa2ad39fdc1c0d5aa7ea2f441d099e65234307a1cfcbc03553a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL that redirects to a domain associated with phishing or malware distribution, disguised as a legitimate document. The document body, though heavily obfuscated, suggests a lure related to a 'pocket guide for lactation management'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=pocket+guide+for+lactation+management+3rd+edition+pdf
    • https://cdn.sqhk.co/livaxipovage/hhOcnhj/crossword_solver_python.pdf
    • http://wacc-cat.org/233934444122de2n.pdf
    • https://wesaxewotivaf.weebly.com/uploads/1/3/4/5/134578523/459be02cdae.pdf
    • https://kevititexozasen.weebly.com/uploads/1/3/2/7/132712545/pimojofilenef.pdf
    • http://confirmationhelpcenter.com/what_makes_a_good_couple_with_ariesavrr2.pdf
    • https://cdn.sqhk.co/zulatobi/fjbijib/cute_pomeranian_puppy_wallpaper_hd.pdf
    • http://podarokinsta.online/punctuation_marks_worksheets_for_grade_4t5dsr.pdf
    • http://chestlune.online/lesukotuzapuzaworanimup9rjs9.pdf
    • https://zawoxabupuw.weebly.com/uploads/1/3/5/9/135990747/9222280.pdf
    • https://cdn.sqhk.co/soxosovave/jgJdVje/windrunner_nike_rain_jacket_mens.pdf
    • https://cdn.sqhk.co/jagugide/hjgRLSj/tiktok_banned_in_us_september.pdf
    • https://vemugalibi.weebly.com/uploads/1/3/4/4/134484787/fodogofotasunu.pdf
    • https://cdn.sqhk.co/pimepojuti/ijbjhha/31615208294.pdf
    • https://cdn.sqhk.co/xenivoronizu/d4Ouqhi/brilliant_earth_moissanite_vs_diamond.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c06ffab3-4196-41ec-8f2c-4fcfdf639eda/java_8_features_tutorialspoint.pdf
    • https://737bf953-b780-43bc-8af0-312ed5328a40.filesusr.com/ugd/017c44_8a3fcbeebdab463890c7ab1e16ea8bcc.pdf?index=true
    • https://a72b158e-cead-41d6-a0b3-8518216316a4.filesusr.com/ugd/35c6e2_e83052f0daad48c181f21a9b26f0fa5b.pdf?index=true
    • https://8dfd47f4-e591-4377-92a3-bdbf91d41e5a.filesusr.com/ugd/a58b01_444f68b0932c48afa2774775c5916f21.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cb1a46c9-8c6e-4607-9365-47d326bcd11a/how_to_update_swann_security_system.pdf
    • https://uploads.strikinglycdn.com/files/d9168758-937d-41e7-87e0-89b6d5b97750/que_es_un_manual_de_organizacion_segun_autores.pdf
    • https://ff0b3df2-dc61-4aeb-9024-93fa9b5bc175.filesusr.com/ugd/aa14a9_19cd07b4b5f94e068e31dfc737c80a2a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/605480f2-9fb4-4adf-926d-25fde27b4a73/asus_xonar_dgx_review.pdf
    • https://uploads.strikinglycdn.com/files/3c7c5330-5df3-47c6-b078-493fee78f0ab/why_human_experimentation_is_important.pdf
    • https://3dcfbd4a-ef33-49dc-a04a-0aaf5307c30d.filesusr.com/ugd/b47706_7cd1f32d514d48a69d38ba53b76bc2c5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dcb5.bin
0c63e688740edbad019e5b0294d5bbd3e4ae631460e65b56abd39d94574ee53b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDCB5 5524 bytes
font_01_sfnt_off0000ef78.bin
23a31016743e8bdc2c9fe945c8c0ba5beaf56608b7aced57f136a76ebf0e3457		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF78 11208 bytes
font_02_sfnt_off00011600.bin
462d13bd97d7d9b38b38dac4ddb889f891d4742debcdf3bbf084b15d68e01d41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11600 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.