Malicious PDF — malware analysis report

Static analysis result for SHA-256 15f80007054601ab…

MALICIOUS

PDF

71.4 KB Created: 2021-03-15 17:09:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d30dfb1e78b9f6c66f885b3f374da69d SHA-1: 77fdc8e023c18058ea4b57ca87398f1d5db3eb45 SHA-256: 15f80007054601ab4cfeec2932e2026fc53db7db9c24394d2d627621303e07ca
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier returned a high probability of maliciousness. The document body, though heavily obfuscated, contains text that suggests it is mimicking a search result for "ap macroeconomics multiple choice 2010". The primary IOC is an external URI pointing to a URL that likely hosts a malicious payload or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=ap+macroeconomics+multiple+choice+2010
    • https://cdn.sqhk.co/fudamozomeb/higfHp8/huawei_health_apple_watch.pdf
    • https://cdn.sqhk.co/zifuvifiweva/Uwjgjjj/pufesodukurebalumor.pdf
    • http://wuvilorilete.22web.org/zofalerukolexijiseli.pdf
    • https://cdn.sqhk.co/bodujemep/vFjcijy/tidibogexopajexidevarofu.pdf
    • http://vizisas.iblogger.org/fivipomuv.pdf
    • http://wadumutid.iblogger.org/54989120634.pdf
    • http://juvozukatug.66ghz.com/88768506652.pdf
    • https://cdn.sqhk.co/jesarijufe/iaQmgsi/96194594087.pdf
    • https://cdn.sqhk.co/bosejadukifo/dgcjhoJ/6353852319.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7a4f94d3-db89-47d8-9b3e-f3542c5d51ba/oven_elite_power_air_fryer_manual.pdf
    • https://ab09db5e-f077-45fc-8e9c-dcfbe0041c42.filesusr.com/ugd/3835dd_ff5cff8d5d53494183ce5b39b2d44ec9.pdf?index=true
    • https://bf808793-8b46-4c54-8b11-319763181fa0.filesusr.com/ugd/0d018b_cd4680f1b4474faf92e0154ddfd1e4bc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/39ff5d56-7c3f-4a2f-ad6a-9a12b00280f2/stephen_king_carrie_book_online.pdf
    • https://uploads.strikinglycdn.com/files/2c6487a9-33fc-431d-948e-c02124439d8d/what_does_facilitator_mean_in_2k.pdf
    • https://s3.amazonaws.com/zerepuzuze/godfather_moe_greene_death_scene.pdf
    • http://vedogitunenaki.rf.gd/que_es_el_lenguaje_verbal_segun_autores.pdf
    • https://b064d0e4-88d6-4b7e-8087-8ebf790fcba6.filesusr.com/ugd/ca32a8_a9e242d2c2e04bc1b9a25fda5023ac7c.pdf?index=true
    • https://s3.amazonaws.com/tubukeganuji/dopt_guidelines_vigilance_clearance_for_promotion.pdf
    • http://jojemoditupu.rf.gd/find_duplicates_in_two_different_excel_sheets.pdf
    • http://vubedarav.epizy.com/lujuxen.pdf
    • https://s3.amazonaws.com/sudevejerifu/32553634646.pdf
    • https://s3.amazonaws.com/satudifin/90641719017.pdf
    • https://uploads.strikinglycdn.com/files/79862e90-ee9e-41d6-9906-e52771be3bf6/69064368747.pdf
    • http://difugarulid.epizy.com/billy_joel_uptown_girl_piano_sheet_music.pdf
    • https://uploads.strikinglycdn.com/files/dda3e04e-8bbd-4f37-a856-d6fc8a20b904/6605418328.pdf
    • https://b5c90759-dbf8-4ccd-b12d-e23c958527f9.filesusr.com/ugd/915a55_7aa2427936734b17bc47df988a4d8160.pdf?index=true
    • https://s3.amazonaws.com/dobikasukavu/sony_wega_tv_no_remote.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9b2.bin
5985aa808f42c2c455fc1875266764d2f3e271c7d344ee22edcf8c16e8a7e7ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9B2 5488 bytes
font_01_sfnt_off0000ec2f.bin
5601eb342c6f33a31f02ad8e0785f7c1f40b3d825074087f30444867bb85cc2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC2F 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.