Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4473038fc54b603…

MALICIOUS

PDF

197.3 KB Created: 2021-03-24 05:41:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 27a369e6e7e3eaf12f48ba257396726a SHA-1: 79440f3871e5d2486622efb4644a45dd04dbc7de SHA-256: f4473038fc54b603da9a84652bf140f1a9978584fb7aa4d00775fe72b6c40dac
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URL points to a suspicious domain, likely serving as a lure to a phishing or malware distribution site. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest it may contain JavaScript to facilitate the redirection or payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9914

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/aws?utm_term=what+did+alexander+the+great+want+to+do
    • https://joposiga.weebly.com/uploads/1/3/5/3/135399072/f86559689d.pdf
    • https://dururamud.weebly.com/uploads/1/3/4/8/134846475/b92a524cf51e.pdf
    • http://disclosures.space/learn_english_sentence_structure83bv7.pdf
    • https://gelejidog.weebly.com/uploads/1/3/4/6/134688201/zovisovibor-nalojudir-zoragezaket.pdf
    • https://vetasokimatajed.weebly.com/uploads/1/3/5/2/135296406/5644357.pdf
    • http://lnstagram-helps-contact.com/jemitogabolhod3.pdf
    • https://mosutija.weebly.com/uploads/1/3/4/5/134502389/1514960.pdf
    • https://degezikesobito.weebly.com/uploads/1/3/1/3/131384018/d4f70d9a1.pdf
    • http://togezapavux.iblogger.org/damexelu.pdf
    • https://gapidekejoz.weebly.com/uploads/1/3/4/8/134876705/2482104.pdf
    • https://rotarivinevi.weebly.com/uploads/1/3/4/5/134599250/0c22c.pdf
    • http://mattelipsticks.site/curso_de_finanzasrt7rg.pdf
    • https://ledejikijosud.weebly.com/uploads/1/3/1/6/131607919/lijataxireguw-datukezazan.pdf
    • https://zofazozudu.weebly.com/uploads/1/3/0/7/130739697/dde1a1f3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nilorarikaz.rf.gd/53768516970.pdf
    • https://uploads.strikinglycdn.com/files/05cdafce-0fe6-4b44-870e-4e739c3999a7/the_brief_wondrous_life_of_oscar_wao_summary_chapter_5.pdf
    • https://uploads.strikinglycdn.com/files/cbe5ea0f-a662-45ce-9552-656bd117f7c6/no_te_metas_conmigo_por_favor_en_ingles.pdf
    • http://rujemivegelap.epizy.com/hedonisme_jurnal.pdf
    • https://uploads.strikinglycdn.com/files/176fd23c-3178-4df9-b826-60154161f437/premier_protein_drinks_for_weight_loss.pdf
    • http://setowibuvi.epizy.com/tureduzujuwazovivonikisum.pdf
    • http://zikinevubebera.epizy.com/como_fazer_referencia_bibliografica_de_artigo_em.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002a2b4.bin
c84e30d246b2a738a4dcb9d59150452c095e6fb8ef42386ec48af2c5e9ba33de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A2B4 5084 bytes
font_01_sfnt_off0002b410.bin
e1944fc1f73cab1a992826be03192fd4b31483506a1f36bb9d9c49d85de85ff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B410 19520 bytes
font_02_sfnt_off0002eb67.bin
9be772caccb8a2e824f5aba3ffcb477cbd3798d73fe7ed8b5bca6c39d02ceade		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EB67 17352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.