Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e63d9bba3d59adc…

MALICIOUS

PDF

73.3 KB Created: 2021-05-16 00:22:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6dbe6e6bee1138cd247d7da640c49ed4 SHA-1: d65ae3063b336ac60687c177e7037e09d6c218cd SHA-256: 0e63d9bba3d59adc48858ad12261410498c0be71adcc75812eccadafaac9d697
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The document body, though heavily obfuscated, suggests a lure related to 'Tale of Peter Rabbit'. The presence of numerous embedded URLs, some of which are unknown or have suspicious domains, points towards a phishing or malware distribution attempt. No scripts were extracted, but the overall structure and heuristic firings suggest the document is designed to trick the user into interacting with external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cdn-cms.f-static.net/uploads/4464068/normal_60503e046836c.pdf
    • http://elerctum.org/cisco_catalyst_3850_24_port_data_sheetgugbd.pdf
    • http://idealica-uficialeitalia.website/nubikemojomiauo5i.pdf
    • https://cdn-cms.f-static.net/uploads/4481509/normal_603b937c3eb98.pdf
    • https://static.s123-cdn-static.com/uploads/4488141/normal_5ff16c40ec7bb.pdf
    • https://cdn-cms.f-static.net/uploads/4372955/normal_6061dc87a744a.pdf
    • https://cdn-cms.f-static.net/uploads/4498645/normal_6041d5894cf87.pdf
    • https://static.s123-cdn-static.com/uploads/4426558/normal_600049b068ad3.pdf
    • https://cdn-cms.f-static.net/uploads/4445343/normal_6069d970dd113.pdf
    • https://static.s123-cdn-static.com/uploads/4491725/normal_60090243027c4.pdf
    • http://liwitesuzemumex.sportsontheweb.net/compound_adjectives_list_and_meaning.pdf
    • https://cdn-cms.f-static.net/uploads/4502336/normal_601f1150082d2.pdf
    • https://static.s123-cdn-static.com/uploads/4489615/normal_5fcf31c1d8786.pdf
    • http://bamupiwabibajew.mywebcommunity.org/zikawokiferimob.pdf
    • https://static.s123-cdn-static.com/uploads/4411931/normal_6003220b9c3ec.pdf
    • http://dufigep.scienceontheweb.net/luzesazusanojodow.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://feedproxy.google.com/~r/wb/ENAH/~3/kMuynZNWtA0/wb?keyword=tale%20of%20peter%20rabbit%20and%20benjamin%20bunny
    • https://uploads.strikinglycdn.com/files/6ec80540-e6a2-416d-aa91-8adc5543af52/judig.pdf
    • https://uploads.strikinglycdn.com/files/5fe24b64-9715-4581-9320-d15ae088c55c/who_fears_death_nnedi_okorafor.pdf
    • http://jisijuvod.myartsonline.com/synonyms_worksheet_for_grade_3.pdf
    • https://uploads.strikinglycdn.com/files/314d751d-bd3e-45b2-b4e6-181550d6c1a6/systems_engineering_certification_mit.pdf
    • https://uploads.strikinglycdn.com/files/e8e54061-6e2b-4dde-b7d6-2ea6784059a7/easton_bloodline_arrow_selection_chart.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e026.bin
e66f137d16314859d28f7a797054090618ce9dd526dfa31730711fc252c59e07		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE026 5276 bytes
font_01_sfnt_off0000f20d.bin
0778483496347069db9c3cc96824b8081edcb028bd3fe3681b7bcb063543511a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF20D 11036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.