Malicious PDF — malware analysis report

Static analysis result for SHA-256 0daa449246317757…

MALICIOUS

PDF

72.7 KB Created: 2021-05-15 22:43:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41b73789120900557b4c8d05bf6897b5 SHA-1: cfeb5c24cee932052a78cf3cb284c1f9f073c997 SHA-256: 0daa4492463177576a73f040d1ee0f48926a88b7f36e16c2d9683916296c8bb4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document body, though heavily obfuscated, contains a URL that appears to be a search query, suggesting a lure to a potentially malicious website. The presence of embedded URLs further supports the attack pattern of directing users to external resources. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wb?keyword=how%20to%20pair%20ge%20universal%20remote%20to%20tv
    • https://bogibopedazite.weebly.com/uploads/1/3/4/0/134018154/2665894.pdf
    • http://mosilewuzofivan.iblogger.org/waxuxime.pdf
    • http://lovojat.22web.org/debinasogep.pdf
    • https://tudaluvakagovax.weebly.com/uploads/1/3/4/6/134614365/xebeb.pdf
    • http://domen3.club/kaththi_movie_1080p_tamilrockers0smo4.pdf
    • http://reduslimitalia.site/adivinanza_dos_hermanitos_siempre_va8jkr7.pdf
    • http://xxlmature.site/hacking_game_app_android2vvt4.pdf
    • http://krokoboko3.xyz/2261945323136r8f.pdf
    • https://pezazexumazu.weebly.com/uploads/1/3/5/3/135392870/9069641.pdf
    • https://sanupeden.weebly.com/uploads/1/3/5/9/135961416/fd3544f76eddcb.pdf
    • http://ses-sanobrabotka.ru/jutubadesezabo9zz6p.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dexifugufesi.epizy.com/93850335683.pdf
    • http://loziruwofuni.rf.gd/automation_anywhere_enterprise_client.pdf
    • http://wevedikelu.epizy.com/california_dmv_change_of_address_form_14.pdf
    • http://renaxederopuva.rf.gd/37594727302.pdf
    • http://zegemipufe.epizy.com/video_er_linkedin.pdf
    • http://lifised.epizy.com/pioneer_vsx_305_review.pdf
    • http://voxomat.epizy.com/sahasra_ek_arabya_rajani.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dff8.bin
d912141e36daa061825139ad9a4dd3c954baaf2c8e8ab26d06d7f414a7d1962e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFF8 5252 bytes
font_01_sfnt_off0000f1d7.bin
81a4d0d7d45619b7afa480f35a832a1bbcf08e79332006994617a07884e092df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1D7 10364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.