Malicious PDF — malware analysis report

Static analysis result for SHA-256 07bb8eb983ea39fb…

MALICIOUS

PDF

93.7 KB Created: 2021-01-25 21:24:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-14
MD5: 90d690ab3550a632ae773bdd8bf52868 SHA-1: ce97552158377df5b6cbdb859d0c6027a0926421 SHA-256: 07bb8eb983ea39fb54a26323278ffa23fff167d58a06fb79de8451244531d76b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL and numerous other URLs suggest the document is designed to redirect users to download malicious content, likely disguised as software or tools. The document body, though partially corrupted, contains keywords related to 'video editing' and 'android github', which are likely lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?utm_term=video+editing+android+github PDF link annotation
    • https://cdn.sqhk.co/kamupudoro/yQB4ugc/clash_fortnite_tracker.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380682/normal_5fff4d72395fa.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4488339/normal_5fe52e78ea18c.pdfIn PDF document text
    • http://my-favshopc.online/cnc_programming_lab_manualkpt0n.pdfIn PDF document text
    • http://epaytds.xyz/need_for_speed_no_limits_apk_datahfb4s.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420934/normal_5fea2de8e2213.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4368970/normal_5fc5f1d1c916d.pdfIn PDF document text
    • https://cdn.sqhk.co/fefuxumito/Tibichi/zezagawufamajeses.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4445340/normal_600618c518174.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4493198/normal_5fc5d70004225.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4382789/normal_6000dadbc0459.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411479/normal_5fdad8672b20f.pdfIn PDF document text
    • http://proflist-briansk.ru/75787731787d3bps.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4500897/normal_600abbbf7dece.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/wuxupewu/vipokumo.pdfIn PDF document text
    • https://s3.amazonaws.com/muwomapotumugi/blank_guitar_chord_sheet_printable.pdfIn PDF document text
    • https://s3.amazonaws.com/rawesaragegugar/factoring_trinomials_problems_worksheet.pdfIn PDF document text
    • https://s3.amazonaws.com/takateg/spotify_premium_apk_para_pc_2019.pdfIn PDF document text
    • https://s3.amazonaws.com/sukedil/32555151485.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000102c3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x102C3 3932 bytes
SHA-256: 6c5f17aecc2c1da4c7064733f2f21b7ff9f7c4c2a4b1b23756865a3d40d8127a
font_01_sfnt_off000110a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x110A7 4984 bytes
SHA-256: c7c30de9c224d1df417ab024d51ac777ef49fd6a5af04272f1e4eb644271d448
font_02_sfnt_off0001218c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1218C 2188 bytes
SHA-256: 595d97071dc3553b9872d88641a6d2782645a24877ebd392aa18c5b0c77c364e
font_03_sfnt_off00012b57.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12B57 11540 bytes
SHA-256: 4e298bc5b6dfb34034093fb441d6257a519119b5a1793e6c516cedee2d223290
font_04_sfnt_off000152f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x152F9 16144 bytes
SHA-256: 2a5f1667c2e343500efde63e3dd6a136498333968b1680966ac5eb34589f1174

Open this report in the interactive analyzer, or submit your own file for analysis.