Malicious PDF — malware analysis report

Static analysis result for SHA-256 08c076392ee9a08e…

MALICIOUS

PDF

76.8 KB Created: 2021-03-08 23:44:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4daff52c4970b74254745cfbeb3e08c0 SHA-1: efc9347469cc9168acb5f0b57a6eb87fc588ac3d SHA-256: 08c076392ee9a08e3895796bd6686046eaf63898b5cd998a0276bd4799ba8c22
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected as malicious by a ML classifier and ClamAV, indicating a high likelihood of malicious intent. The heuristic 'SE_BROWSER_INSTALL_LURE' strongly suggests a social-engineering attack aimed at tricking the user into installing malicious software or extensions. The embedded URLs point to potentially malicious or phishing sites, further supporting the phishing and malware delivery attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=ccna+pdf+free+download
    • http://ziwusis.getenjoyment.net/dr_scholls_foot_spa_plus_manual.pdf
    • http://xidakuxekon.22web.org/tenobegarajokez.pdf
    • http://zujakupuk.22web.org/pemanorudiranewalaxusit.pdf
    • https://ripumunilemaz.weebly.com/uploads/1/3/5/3/135302863/9581938.pdf
    • http://onlineeshop24.xyz/levis_jeans_uk_size_guide52pw6.pdf
    • http://leporabev.mywebcommunity.org/mr._coffee_12_cup_coffee_maker_with_easy_on_off_led_switch_white.pdf
    • https://pekupepavipojev.weebly.com/uploads/1/3/1/8/131872203/7093542.pdf
    • http://yellownatural.space/lumipot32z13.pdf
    • http://banki-internetowe.com/define_marketing_plan_in_business_termspsfvh.pdf
    • https://nizevamil.weebly.com/uploads/1/3/2/8/132814567/5dd2c1580eec4f.pdf
    • http://feremujidonigu.getenjoyment.net/arnold_schwarzenegger_bodybuilding_quotes.pdf
    • http://good-production16.site/invitation_templates_free_weddingqxw6n.pdf
    • https://telewebejuta.weebly.com/uploads/1/3/1/6/131607630/244235.pdf
    • http://gmetry.online/buragafuwaxawa9jvg3.pdf
    • http://kowojolajamuv.getenjoyment.net/jovumerewamujadeb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fajujiju/kidde_smoke_and_carbon_monoxide_alarm_battery_type.pdf
    • http://dowuvoduwitovos.atwebpages.com/how_to_fix_a_broken_stove_knob.pdf
    • http://pelubameta.epizy.com/aashiqui_2_movie_bestwap.pdf
    • https://s3.amazonaws.com/vonuxagupeduze/muji_diffuser_user_guide.pdf
    • https://s3.amazonaws.com/nuvukivaxiren/frick_rwf_compressor_manual.pdf
    • https://s3.amazonaws.com/pulujolatepuv/gutilesapiwunogibaniko.pdf
    • http://zilomit.epizy.com/amity_university_lucknow_admission_form_2019.pdf
    • http://waboxizolomove.rf.gd/macys_sale_today_sheets.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f24b.bin
be9de4d95dd5eac194068088274fa6269399a1569a547dff9860e14538c8af88		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF24B 4968 bytes
font_01_sfnt_off00010358.bin
c6397d3b4e838da521adf6a463793a6f9a904427767a6512a9c6c63923e588cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10358 10128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.