Malicious PDF — malware analysis report

Static analysis result for SHA-256 058c8ab47d11e290…

MALICIOUS

PDF

93.9 KB Created: 2021-07-05 04:05:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 34173c1ea9c154ef29152f9fb12f7ebd SHA-1: 139da3bf538c80e75f5bbb23904dcbcfe1b3920e SHA-256: 058c8ab47d11e290e7498485e82cefeb13c64bbacf08700bf0859fc266e8ee93
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, some pointing to suspicious PDF files hosted on compromised websites, suggests a phishing or malware distribution scheme. The document body is heavily obfuscated, preventing a clear understanding of its specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://newat.ru/wp-content/plugins/super-forms/uploads/php/files/c6ebb643704757adbc873b4bed6532ef/8389601816.pdf
    • https://socialacademy.gr/wp-content/plugins/super-forms/uploads/php/files/61dd920a451a479004d925b29262db80/26422963044.pdf
    • https://www.demetagras.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070a83ab833e---dobisurumo.pdf
    • http://geology.ie/wp-content/plugins/formcraft/file-upload/server/content/files/160904e623332b---tipaledufotarakak.pdf
    • http://andreevmag.com/wp-content/plugins/super-forms/uploads/php/files/6bb327f3a43ed5113bb085a3683c31f3/48575991964.pdf
    • http://irmascaritasdejesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608d7db3b1533---31608182250.pdf
    • http://principessavencanice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c8dff62a839---rixexawinaboxumofuf.pdf
    • https://messianic.live/wp-content/plugins/super-forms/uploads/php/files/96e345553dbe8c1fb9830e6fb309569d/noxobezuguzagepikuge.pdf
    • https://doitsolutions.co/wp-content/plugins/super-forms/uploads/php/files/6fe1c3558f4e32fbdbb8eccdebd89426/99795427464.pdf
    • https://fourseasons.events/wp-content/plugins/super-forms/uploads/php/files/5b838677e7a2d46f66ecbaab8adc303c/wosipatadum.pdf
    • https://anyimaker.com/upload/users/files/pakotopatunavejodilaxoziv.pdf
    • http://dynamic1984.com/user_file/file/wimuxodedulesazikagivem.pdf
    • https://polskieplytki.com/wp-content/plugins/super-forms/uploads/php/files/ce1a20194d9d480d8ca98317869ca995/39432452325.pdf
    • http://constructionone.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160898057cd49f---88569304213.pdf
    • https://saftanton.dk/wp-content/plugins/formcraft/file-upload/server/content/files/1609839f511428---pebuzuza.pdf
    • https://plswa.com/wp-content/plugins/super-forms/uploads/php/files/91de648efcc3e35c83e56c90c36d7e7e/26738353265.pdf
    • https://mnlex.it/file/3280508276.pdf
    • https://hijaulumut.com/contents//files/44433485714.pdf
    • http://lavera.it/wp-content/plugins/formcraft/file-upload/server/content/files/160ac10f8199da---65552560313.pdf
    • https://www.cr-sdc.org/wp-content/plugins/super-forms/uploads/php/files/21badb229379c4e3d62d459b939a99ff/92915228344.pdf
    • https://www.picmephotoboothhire.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16091c7d63e025---72357906402.pdf
    • http://boldogelet.hu/media/lodexafosegirigufetuwamuv.pdf
    • https://www.adler-leitishofen.de/wp-content/plugins/formcraft/file-upload/server/content/files/160d67b8407fda---lebizofijenosi.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/PmAiG5ZyT-k/uplcv?utm_term=ca+drivers+written+test+answers
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010ce9.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CE9 16792 bytes
font_01_sfnt_off00012500.bin
aa68453ce98d439d0d6c70cac01c2267bbe9b823acfb0d7396ed9a0b16c0f1a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12500 10256 bytes
font_02_sfnt_off00013c3b.bin
6e4d470de6463dc0833b4500e8d6f5afadd677d4d3c86625f573e292772be822		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C3B 17460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.