Malicious PDF — malware analysis report

Static analysis result for SHA-256 03f37cb499b646a7…

MALICIOUS

PDF

76.8 KB Created: 2021-03-14 22:32:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10ac6637ead492d2396f992d2a1d3405 SHA-1: 11854e9a63577a9f31ddf82fa086d4c4dace44b0 SHA-256: 03f37cb499b646a704534f7ad2638db40810e4dbe24a05289635e7ce0222ce74
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely as part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, contains text related to the URL's keyword, suggesting a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/wix?keyword=bailes+de+corridos+en+sinaloa
    • https://cdn.sqhk.co/wodelaganav/ihcXjjg/maxem.pdf
    • https://cdn.sqhk.co/borefigux/jbHtxM4/sniper_games_for_android_2._3._6.pdf
    • https://cdn.sqhk.co/satukevaguka/ajifxie/mobiles_ringtones_download_all_mp3_ringtones_free_apk.pdf
    • https://cdn.sqhk.co/vefusujix/f8Jjcij/eternal_card_game_switch_review.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6e322318-97dd-4bea-a283-a5b6c783979e/craftsman_snowblower_manual_parts_list.pdf
    • https://uploads.strikinglycdn.com/files/48079528-2782-442d-86ca-400e4d8dc9c4/panasonic_phone_manuals_kx-dt343.pdf
    • http://webubekesivamuf.epizy.com/5617944333.pdf
    • http://zifetexivex.rf.gd/56219522819.pdf
    • http://dupikupujetilu.rf.gd/cissp_cbk_reference_5th_edition.pdf
    • https://0a01f052-6ee6-4bfa-868d-d2e49373b03f.filesusr.com/ugd/55f640_9d59b7f2810748a583af0ede2ba0fb04.pdf?index=true
    • http://vejesigivilowen.rf.gd/magic_bullet_theory.pdf
    • http://sewexojin.rf.gd/towiparo.pdf
    • https://992bddda-184d-467f-a815-0165b41a2208.filesusr.com/ugd/69695d_4d064cf827074096a7999d62189c1793.pdf?index=true
    • http://mudotepejix.epizy.com/sugozuwukumesujejinek.pdf
    • https://uploads.strikinglycdn.com/files/528f4c24-0655-4a0e-b8cf-d655a7c24fbb/debupuzo.pdf
    • https://uploads.strikinglycdn.com/files/98eb9716-2ba1-4a90-9687-9cda91efb110/zanofafuv.pdf
    • https://uploads.strikinglycdn.com/files/e94f4466-f591-4189-afe1-3dae2e7bea09/tofene.pdf
    • https://cee4a208-09ac-40e0-983f-4c2cc776acbe.filesusr.com/ugd/5ed537_cc254fe3957f4ab499ed95165a09608f.pdf?index=true
    • https://828c6a01-da61-4814-986a-f72e64f4f334.filesusr.com/ugd/cdfdba_3725d8c06f824d4eae3f0be3b8020158.pdf?index=true
    • https://d21da297-2d1c-4020-882f-059d99c29dc9.filesusr.com/ugd/3724a2_db0aea74e1bf4067b0da9beaeaa64f4d.pdf?index=true
    • http://ziwutaje.epizy.com/nezatitita.pdf
    • http://rebivik.epizy.com/46_bike_race_video.pdf
    • http://jibapasugaxelo.epizy.com/bezod.pdf
    • https://1fa67a36-2e8b-44cc-a955-751d80433762.filesusr.com/ugd/d85e51_989970df847c4eab8981836a1d871694.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edeb.bin
a0198c0b629e4b7ddf16a9dd83ace43aff20edb9f3c59f675eadf4c3a6ee78b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDEB 4984 bytes
font_01_sfnt_off0000fee4.bin
3c2f30f9792666de88a78509cd4443b60713f23ae5c865be90f1f805c4fe6cf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEE4 11336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.