Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ae11d976a80a72c…

MALICIOUS

PDF

73.9 KB Created: 2021-04-07 13:29:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62e46303eb2cabb13ec258299cfe4a7b SHA-1: dba915a18a713b53332f557d3147e4ae139089d2 SHA-256: 1ae11d976a80a72c753ed2c09ce55251d1b7708562a9e7691cd191d6f42e3afe
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier and ClamAV detection strongly indicate malicious intent. The PDF contains embedded URLs that likely lead to further malicious content or phishing pages. The document body, though heavily obfuscated, suggests a lure related to a 'Calendar 2020 pakistan pdf'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://europa-ts.ru/sites/default/files/webform/81905598419.pdf
    • http://portal-mysigma.com/system/files/student-proof/pifudolaloxafedotodela.pdf
    • https://extranet.blanchisserie-toulousaine-de-sante.com/sites/extranet.blanchisserie-toulousaine-de-sante.com/files/documents/justificatifs/bugoxugokerudanetisene.pdf
    • http://www.muttypawsacademy.com/sites/default/files/webform/vaccines/ranet.pdf
    • https://www.a1touchsolution.nl/sites/default/files/xofarazenufokedakuzos.pdf
    • https://www.natsihwa.org.au/sites/default/files/webform/zolevijovexoneda.pdf
    • https://www.pharoxglobal.com/sites/default/files/webform/27804174203.pdf
    • http://seiary.com/sites/default/files/webform/rec/6045441545.pdf
    • https://grossenbacher.co.nz/en/system/files/avoidance-training-certificates/xetomaroronep.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=calendar+2020+pakistan+pdf
    • https://lib.asu.edu/system/files/webform/rutepirunumobapof.pdf
    • https://printandmail.princeton.edu/system/files/webform/zupedofijemurak.pdf
    • https://ec.europa.eu/eip/agriculture/sites/default/files/webform/5272012193.pdf
    • https://lib.asu.edu/system/files/webform/85824103047.pdf
    • https://minorsoncampus.princeton.edu/system/files/webform/xadumiwedom.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e289.bin
4f4c8ebcae551ebc050ffed37b3687c62f68b7ba6df5d9c2c879713d4d42ad70		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE289 5276 bytes
font_01_sfnt_off0000f485.bin
7239e50978cd507e488371c0f2ae1d98acaf20fbd86aa0f467098e3ddc6c317a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF485 10888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.