Malicious PDF — malware analysis report

Static analysis result for SHA-256 051c1c3015156ac4…

MALICIOUS

PDF

86.6 KB Created: 2021-03-05 10:02:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00a93e72007b7e6005ecd43f83b6e9ed SHA-1: 4aa526a8ac75dc8a38e52e7dafa61ea1829361b0 SHA-256: 051c1c3015156ac4b23bf8b4a87d60c48b02fdd1dac281c59e9fbdf144bdb54d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a lure related to connecting a Bluetooth speaker, which is a common social engineering tactic. It embeds external URLs, one of which is identified as a potential phishing or malware distribution point. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect the user to a malicious site or download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=how+do+i+connect+my+oontz+speaker+to+my+computer
    • http://nosilekexiwot.mywebcommunity.org/rozem.pdf
    • http://buylettersonline.com/etsy_logo_template89uvb.pdf
    • http://natbeach.space/alexander_hamilton_federalist_papersgm6by.pdf
    • http://numulul.mygamesonline.org/valezipupanolixerasut.pdf
    • http://libertinemodels.com/gujoworufawuzixaberemxint8.pdf
    • http://baderezu.scienceontheweb.net/bob_proctor_paradigm_shift_workbook.pdf
    • http://tonevagewalilu.medianewsonline.com/11230118932.pdf
    • http://lifolibi.sportsontheweb.net/wezavasixe.pdf
    • http://drive4mclanemilwaukee.com/hopscotch_julio_cortazarkd3ja.pdf
    • http://boothattendant.com/49513683298tkb3e.pdf
    • http://peromopativej.mypressonline.com/monififubivegikuvuzu.pdf
    • http://patusare.22web.org/moviesda_tamil_attu_full_movie.pdf
    • http://goodxday.xyz/shadowrun_returns_class_guided7zhw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://234d5d8d-19c9-4cab-a884-dd0775662658.filesusr.com/ugd/fb7225_d1899681cced4c4aa6900341d3e95fb0.pdf?index=true
    • https://8641c524-1fb5-4292-87ed-dd72f64d6c22.filesusr.com/ugd/9b7d8a_b373573c18d145d9aeaaf9fd57521bf1.pdf?index=true
    • https://569961a5-e6b5-462d-8b38-7193d5e7b20b.filesusr.com/ugd/a37a2e_9e4f403d1c3e464eb1571ff79e87efae.pdf?index=true
    • http://nosofakonitul.epizy.com/11037996748.pdf
    • https://4779f2f8-a33e-4327-9c78-21ee0bcf4620.filesusr.com/ugd/31bf02_c4ddafbc8b2d43dba2dad48353cbadc0.pdf?index=true
    • http://zonadomafi.rf.gd/mavikobamesolefulibad.pdf
    • http://zotubune.myartsonline.com/lamopufivililaxubapeso.pdf
    • https://11484d69-1612-41b9-9199-165df1f08223.filesusr.com/ugd/e2f197_bae7883c4ee94f4b9a61d4521170cd99.pdf?index=true
    • http://ketabigumowun.atwebpages.com/catholic_childrens_bible_stories.pdf
    • http://telusomabufa.onlinewebshop.net/nizogamedulolasukizeb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001155d.bin
72627fd511620657e41db9a17b3ab8646986616468eced9acb52b16611a4670f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1155D 5456 bytes
font_01_sfnt_off000127f7.bin
7a371583ca58b350b1051fa6276677484b7cfefb1d2c337a4f97b7029d7436cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127F7 10724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.