Malicious PDF — malware analysis report

Static analysis result for SHA-256 15400337467b8804…

MALICIOUS

PDF

91.2 KB Created: 2021-05-07 03:55:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f361f2dd563129201f547547c14c3c4e SHA-1: 533374ef5cc74867030a07b99372560a25ab58ac SHA-256: 15400337467b8804efaeee270a207e733cfae39f5533a5d80550e6e6bf4d6518
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF with high confidence. The document body, though heavily obfuscated, contains references to "learn english advanced level app" and the authoring application, suggesting a social engineering lure to drive users to the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=learn+english+advanced+level+app
    • https://cdn-cms.f-static.net/uploads/4415061/normal_6035d758584e9.pdf
    • https://static.s123-cdn-static.com/uploads/4479938/normal_5ff910354f6ff.pdf
    • https://cdn-cms.f-static.net/uploads/4450350/normal_60661b2716795.pdf
    • http://pufivuziviv.mypressonline.com/xasul.pdf
    • http://sifisomatexow.sportsontheweb.net/apache_hadoop_architecture.pdf
    • https://cdn-cms.f-static.net/uploads/4379473/normal_60121c8a9355e.pdf
    • https://cdn-cms.f-static.net/uploads/4491669/normal_6018a70e45b75.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/nuxulikiwab/bleacher_report_live_app_not_working.pdf
    • http://labazesunug.epizy.com/tekigunifolurosakipugafob.pdf
    • http://losalevova.epizy.com/advaita_vedanta_philosophy.pdf
    • https://ab60d57a-1f92-408f-9079-0b325776b613.filesusr.com/ugd/724fb5_2ae5c3da26fc44efa9f427c00fc88833.pdf?index=true
    • https://s3.amazonaws.com/sowirutelevolur/84196256949.pdf
    • http://gixiluvigatekij.atwebpages.com/geotechnical_engineering_salary_california.pdf
    • https://s3.amazonaws.com/wolina/61807063639.pdf
    • https://41be308f-8a64-4dec-8b30-4937605be974.filesusr.com/ugd/f042fe_ba234d7834a04530871b68a86544e021.pdf?index=true
    • https://2ddedb0e-b7b0-41c9-a8bc-c018bd0e6e4c.filesusr.com/ugd/70094d_14935abbc9524538ba585c8ad0509484.pdf?index=true
    • https://s3.amazonaws.com/donarepemi/ppap_manual_aiag.pdf
    • https://320f262d-053d-461a-9009-498fa3b044f5.filesusr.com/ugd/8e680a_fa8e6eddc9c14c08b707c95bfeaa851e.pdf?index=true
    • https://5902ff30-e651-486c-ac37-3e8383bfa78f.filesusr.com/ugd/f35da0_3063fa83a2cc4cb3aaec4a39ec3c43fc.pdf?index=true
    • http://wopaxigaromuf.epizy.com/dragon_nest_mobile_sorceress_specialization_guide.pdf
    • http://fuguzametekobo.myartsonline.com/time_value_of_money_exercises.pdf
    • https://s3.amazonaws.com/belapawerezuju/essex_bus_route_91.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000105db.bin
a1719fd7bb9fa0474979fb088316aa356d6b33b470cd094c0911b15e99c864bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105DB 5336 bytes
font_01_sfnt_off000117fe.bin
2b4976bd5700831a6739eb7f99079ca960227e63ecdf520b00463d8acf8bf440		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117FE 2504 bytes
font_02_sfnt_off000122e5.bin
5f8faaccd10cfeebed329d5ceb9dc714e0bda472518d27422262b7c630355696		 pdf-font-stream PDF embedded font (sfnt) at offset 0x122E5 11160 bytes
font_03_sfnt_off00014901.bin
69d723212eb6dd1954cef9b4649bd4df6eb17a6f495b2db8137d34beed6776af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14901 16332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.