Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d170b37c816826c…

MALICIOUS

PDF

68.0 KB Created: 2021-02-17 15:40:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: da993fcdf4867595bbdbe17ca1d48f81 SHA-1: 753c6d394cec766e8c2d0ac7f95f3f588842066a SHA-256: 0d170b37c816826c9457b3480a1d4d5e2c70299ec130bc8b0bc143470d84ab1d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded URLs that lead to potentially malicious domains, as indicated by the ML classifier and ClamAV detection. The document body, though heavily obfuscated, suggests a lure related to 'worksheet answers', aiming to trick users into visiting these external links. The presence of PDF_URI and EMBEDDED_URL heuristics further supports the malicious intent of directing users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=concentration+involving+parts+per+million+worksheet+answers
    • http://davofaso.22web.org/tonivejagesazusawixop.pdf
    • http://debesur.iblogger.org/verifone_vx520_manual_paper_feed.pdf
    • https://wezenazuzive.weebly.com/uploads/1/3/4/7/134764498/001f8c88692.pdf
    • https://juwexulomo.weebly.com/uploads/1/3/4/3/134385858/ferojisega_vulode_legejawojefiwom.pdf
    • https://cdn.sqhk.co/konafomaz/bIicjd3/dimudavezegurijebejana.pdf
    • https://jowidizikut.weebly.com/uploads/1/3/0/8/130874332/xuguxopa.pdf
    • https://static.s123-cdn-static.com/uploads/4468261/normal_5fed17cf387fe.pdf
    • http://lerinumemikiw.22web.org/ben_10_cartoon_network_android_games.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vukupemenamumoz.rf.gd/liditimeg.pdf
    • http://wefugugis.epizy.com/divikaxudafav.pdf
    • http://lofetumavigasi.epizy.com/medicinal_chemistry_textbook_free.pdf
    • http://dujofaxuro.rf.gd/non_compete_agreement_new_york_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cba3.bin
1e7482a3da6d873cee5e4c76b5490977242fa684a673809a674665849c72373f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCBA3 5468 bytes
font_01_sfnt_off0000de24.bin
f2392494a880bf4400600e4f8e82ad3742809d90e281beeca334f492560c60c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE24 10836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.