Malicious PDF — malware analysis report

Static analysis result for SHA-256 16e16ab4d3092407…

MALICIOUS

PDF

75.8 KB Created: 2021-04-20 00:53:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 023902e2f3760d9780853e64a2127b20 SHA-1: 79a7bfcea9b0736cbf265e9bb936d4b49c4789ae SHA-256: 16e16ab4d3092407d8ddfa2b1184265a1aaca3060d3c51be2c21530f040cddb4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URL pointing to a suspicious domain, which is likely intended to host a malicious payload or redirect the user to a phishing site. The document body, though heavily obfuscated, appears to mimic a search result, suggesting a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=what+does+it+mean+if+check+engine+light+is+blinking
    • http://zereteleriw.getenjoyment.net/28835454912.pdf
    • http://damvglaz6.xyz/team_lebron_vs_team_giannisxwhhc.pdf
    • http://pro-konditer.com/cuntos_mililitros_hay_en_un_centmetro2gd3g.pdf
    • http://balifruit.com/luvikudotupow0cyb.pdf
    • http://zebiripu.mygamesonline.org/child_and_adolescent_development.pdf
    • http://fabulouss.space/navukipifevidufifolaxuvkc5k7.pdf
    • http://hr-insider.com/summertime_saga_download_pc_new_versionzsu8h.pdf
    • http://tonilakifak.mypressonline.com/thiruvalluvar_university_bsc_maths_syllabus_2020.pdf
    • http://fruittea.space/xixuberukumufisow69km.pdf
    • http://netolenogafa.getenjoyment.net/cognitive_therapy_for_depression.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a27b9c28-d59c-47bf-9618-c4560861cd8d/winakulajebaboro.pdf
    • https://uploads.strikinglycdn.com/files/54ff792d-0438-40be-807c-ed33a1a4594c/57228749628.pdf
    • https://uploads.strikinglycdn.com/files/4b810467-108d-4c8f-b41c-f8d7c2d40456/77215609709.pdf
    • https://s3.amazonaws.com/pojikovewijeja/sowoz.pdf
    • https://uploads.strikinglycdn.com/files/2392c2b9-180a-4279-8b23-74a8af2a96d9/in_what_order_should_you_read_sherlock_holmes.pdf
    • https://uploads.strikinglycdn.com/files/4ed0f5ca-0673-49b7-b1c4-8d0690dcba71/2924466412.pdf
    • https://s3.amazonaws.com/jasipefulaxiduj/safawuni.pdf
    • https://uploads.strikinglycdn.com/files/5e112a47-737c-41ed-a51d-6d01a0e4aad8/74730658150.pdf
    • https://s3.amazonaws.com/tobito/81821717519.pdf
    • https://uploads.strikinglycdn.com/files/ad55e35b-8950-4cb6-87cd-0ca643d47a75/jodupazorumarowupavuwejam.pdf
    • https://uploads.strikinglycdn.com/files/c8eabb6b-be40-4c37-9a1d-fd309d2e1a2a/31961797062.pdf
    • https://s3.amazonaws.com/vuxirefare/62835531182.pdf
    • https://s3.amazonaws.com/padosumifubobo/innocentia_idols_solo_performance.pdf
    • https://uploads.strikinglycdn.com/files/d3c126b4-d4db-4ad9-af6b-a218d82286ed/simple_human_soap_dispenser_user_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8ea.bin
46352ee3b6cf22d99f88fe0a545947bdde7fcb227c56900348b1b0e207ffaaaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8EA 5556 bytes
font_01_sfnt_off0000fbc2.bin
a0d9d872e3ca65b9f4475ee6870ea4400ff2512e1f774cb6e7856468d535501c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBC2 10692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.