Malicious PDF — malware analysis report

Static analysis result for SHA-256 13dbab2fc2a8aa44…

MALICIOUS

PDF

73.3 KB Created: 2021-02-27 04:13:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 818228f1462e1c18a481e435904b0315 SHA-1: 57f6b75c2b8ab95621cfc3f091c853819257f332 SHA-256: 13dbab2fc2a8aa440c2862bdf786e5097556812eeff2140c8624ddc2b2a4f0cc
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that redirects to a malicious domain, likely intended to host a phishing page or download further malware. The document body is heavily obfuscated, but the presence of the external URI and the ML classifier's high confidence score indicate malicious intent. The ClamAV detection further confirms this, identifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=char+broil+big+easy+recipes+chicken
    • https://cdn.sqhk.co/limizolaxa/aibTjfV/68766748805.pdf
    • http://sulelufisumi.iblogger.org/scott_pilgrim_vs_the_world_comic_book_free.pdf
    • http://fubogabosurek.22web.org/99000356562.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://doboxibefir.rf.gd/pupukibozivadi.pdf
    • http://fiwujugisijema.epizy.com/8570858876.pdf
    • http://fepezafo.rf.gd/kaxexujuwuxamazoguzogex.pdf
    • https://s3.amazonaws.com/zexozavo/nosimalovominejisefomis.pdf
    • http://repajazofuwide.epizy.com/water_aid_annual_report_2018.pdf
    • https://s3.amazonaws.com/rogugagatuf/2598905436.pdf
    • http://mowesedapi.epizy.com/itunes_manual_backup_what_is_backed_up.pdf
    • https://s3.amazonaws.com/safenalavojuwu/direct_debit_mandate_form_template.pdf
    • https://s3.amazonaws.com/sugowubuf/nejijetoza.pdf
    • https://s3.amazonaws.com/napisakaluja/vesifoj.pdf
    • https://s3.amazonaws.com/widuxade/finding_half_and_quarter_of_shapes_worksheet.pdf
    • https://s3.amazonaws.com/safenalavojuwu/olympus_camedia_master_4._2_free.pdf
    • http://volowunodevikel.rf.gd/xefudefamawiselemupodo.pdf
    • http://jeloneliva.epizy.com/94784934165.pdf
    • http://jeduvuvojupan.rf.gd/central_station_full_movie.pdf
    • https://s3.amazonaws.com/nuselufuzo/surawamumilufe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e191.bin
062bb6013c88e7808407bb5c78e924e66ec02692f130f1cce4024dab5340fba7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE191 5408 bytes
font_01_sfnt_off0000f3f1.bin
084127a7c009f7076d6f0a86d2c9f9b0a0a7a9c7008445b73301b4ba437f939e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3F1 10572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.