Malicious PDF — malware analysis report

Static analysis result for SHA-256 0844b67e498c7bd3…

MALICIOUS

PDF

74.4 KB Created: 2021-03-30 04:32:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3a2060ac36b2e28d59217355ea6f5238 SHA-1: accf1e7263da4fbc31655f9865d8d2663f3b6467 SHA-256: 0844b67e498c7bd3a96717af56339b1cd3c3b7fdaea0aa9b8bf6c3c6c9e06ca0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as a phishing trojan by ClamAV and flagged by an ML classifier. It contains multiple embedded URLs, one of which is directly associated with a heuristic firing for an external URI. The document body, though heavily obfuscated, suggests a lure related to exam results, aligning with phishing tactics. No scripts were extracted, but the presence of external links indicates a likely attempt to redirect the user to a malicious site for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=bise+sukkur+board+result+2020+pdf
    • http://vutunema.mypressonline.com/honda_generators_for_sale_amazon.pdf
    • http://xoxapepagaxon.mypressonline.com/40951775453.pdf
    • https://saranadizalexe.weebly.com/uploads/1/3/0/9/130969301/rumokimo.pdf
    • https://rifakinuzofu.weebly.com/uploads/1/3/0/8/130815009/dba26ae9fc4991.pdf
    • http://dapujabowigu.sportsontheweb.net/mizebiwupap.pdf
    • http://melomone.scienceontheweb.net/3833664411.pdf
    • http://wotidoteked.mywebcommunity.org/fogodununejiwakexovox.pdf
    • http://tulavesew.getenjoyment.net/what_is_the_role_of_indigenous_knowledge_in_the_indigenous_science.pdf
    • https://jawonuvanez.weebly.com/uploads/1/3/6/0/136021807/3656580.pdf
    • https://widalafamibag.weebly.com/uploads/1/3/0/8/130814492/6468335.pdf
    • http://kidiwutimako.mygamesonline.org/how_to_install_phoenix_flight_simulator_on_windows_10.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://mologesasik.epizy.com/what_is_the_raw_materials_required_for_photosynthesis.pdf
    • https://uploads.strikinglycdn.com/files/547ecb8c-e5c7-4e8f-a4db-1a136b1a8c44/best_replacement_parts_for_roomba.pdf
    • https://uploads.strikinglycdn.com/files/52917f01-738a-4763-b2ac-b89315fed039/the_b_word_blog.pdf
    • https://uploads.strikinglycdn.com/files/f953d97f-62c5-420e-81b0-c8ca263fb559/pathfinder_kingmaker_ps4_review_ign.pdf
    • http://wowinagapujepok.epizy.com/piromunowuzipamaziwupubab.pdf
    • https://uploads.strikinglycdn.com/files/50d39d8b-5293-47c6-b14a-8d88409d57df/57081729790.pdf
    • http://davupuvaf.rf.gd/breakthrough_plus_vk.pdf
    • https://uploads.strikinglycdn.com/files/39e93e68-e761-4139-bc0c-bf8471e286b1/34472078125.pdf
    • http://nuwadolonopip.onlinewebshop.net/wurazusenowomifowozil.pdf
    • https://uploads.strikinglycdn.com/files/f019d42f-13f1-48b6-aed8-84e65b4d90d8/gimur.pdf
    • https://uploads.strikinglycdn.com/files/40896554-89d4-4564-a5b7-e381bf51e03e/m-audio_oxygen_25_3rd_generation_driver.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e559.bin
85734e2afc62098b99f39eaf3a64ae6f4b496199bf9dc83d76549cdd836913b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE559 5560 bytes
font_01_sfnt_off0000f84d.bin
1a93bc4eef04ae65fb83cc9975f419cedcb9d7097c60ecf63c7fe8dfd5342aa0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF84D 10408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.