Malicious PDF — malware analysis report

Static analysis result for SHA-256 028f48dedf33bf1b…

MALICIOUS

PDF

152.5 KB Created: 2021-03-30 15:56:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1a4228434447633777a5c205f99b0226 SHA-1: 7e8c460d895903271307b1fb568ac1e4b7fcbce3 SHA-256: 028f48dedf33bf1bfc4dd45ad904153a67f960001cd7c2ff1c7cadd7b9f7e7ef
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1190 Exploit Public-Facing Application

The PDF document was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. The heuristic 'SE_MFA_LURE' indicates the document is designed to harvest credentials by impersonating a service requiring multi-factor authentication or a one-time code. An external URI was found pointing to a suspicious domain, likely part of the phishing infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=mr+anderson+beavis
    • http://kidiwutimako.mygamesonline.org/60827338152.pdf
    • http://tomolijoponix.mypressonline.com/case_study_houses_download.pdf
    • https://cdn-cms.f-static.net/uploads/4419654/normal_601d27f6518ce.pdf
    • https://gupijevud.weebly.com/uploads/1/3/1/4/131407369/0e4c215d9462587.pdf
    • http://rilomenininun.getenjoyment.net/76904186989.pdf
    • https://cdn-cms.f-static.net/uploads/4417305/normal_602c82c2bcc13.pdf
    • https://cdn-cms.f-static.net/uploads/4403539/normal_60431d19a996d.pdf
    • https://cdn-cms.f-static.net/uploads/4370092/normal_600f47c254c50.pdf
    • https://kudizuvawemexol.weebly.com/uploads/1/3/4/3/134307781/zevovax_nufedetam_tomanaj_vuzig.pdf
    • https://static.s123-cdn-static.com/uploads/4385207/normal_60047e4263da4.pdf
    • https://cdn-cms.f-static.net/uploads/4477626/normal_6029c52ccd857.pdf
    • http://dimozakebaba.scienceontheweb.net/brussels_travel_map.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/903ce6aa-37dd-4b39-b09a-a1af822d5e85/why_is_singlet_oxygen_dangerous.pdf
    • https://uploads.strikinglycdn.com/files/d5ad8680-9acb-49a7-8574-76fc6bd0df74/44282204185.pdf
    • https://uploads.strikinglycdn.com/files/9bcca0c0-0cfc-4919-923e-6dd2d6d97790/how_to_view_history_in_chrome_android.pdf
    • http://fajenadiwizowo.atwebpages.com/body_combat_80_choreography_notes.pdf
    • http://sogivuwe.onlinewebshop.net/vawixuxijiwutebebonu.pdf
    • http://pojozija.onlinewebshop.net/sample_personal_statement_for_job_application.pdf
    • http://sifebitufol.onlinewebshop.net/zesetamatabiliwizurobos.pdf
    • https://uploads.strikinglycdn.com/files/67c769a1-33fb-45c3-9e93-e4bc83784f0f/how_do_i_turn_my_webcam_on_windows_10.pdf
    • https://uploads.strikinglycdn.com/files/9477ef43-e823-4355-b5ee-6719b3aa3fd5/kenmore_freezer_model_253_cubic_feet.pdf
    • http://jaminuzifibe.onlinewebshop.net/apartheid_policy_in_south_africa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00021bb8.bin
1a8baafa806fbd289a21bce4cac68be6a1f1deb97fef55d5b4670fad0cc86eaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21BB8 4992 bytes
font_01_sfnt_off00022cd0.bin
54895621d198f0c629c07433a988b0918b5214622d5a39349281e39f2619b4f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22CD0 11780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.