Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b056d5b40ae6999…

MALICIOUS

PDF

75.4 KB Created: 2021-04-20 11:42:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 36ae801686b58066aa9733fc1ce97591 SHA-1: 84135f2192d6fe9c223786fd751195ef03b2918e SHA-256: 1b056d5b40ae6999ca14da489d00dcc5b4d5dd03916f7181e094b9d0cb6d6d3d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The ML classifier and ClamAV detection strongly indicate maliciousness. The PDF contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware download site. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to exploit vulnerabilities or trick the user into visiting a malicious resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=word+count+hadoop+python
    • https://cdn-cms.f-static.net/uploads/4454665/normal_6032fd8136c77.pdf
    • http://vogudikomi.getenjoyment.net/39927214070.pdf
    • http://zizodoroluxonaf.sportsontheweb.net/gozikum.pdf
    • https://cdn-cms.f-static.net/uploads/4495262/normal_602d879f1a2b1.pdf
    • http://lizoguxumugef.mywebcommunity.org/76621408139.pdf
    • http://lizowaw.scienceontheweb.net/7th_grade_math_standards.pdf
    • http://dokojekiferej.mygamesonline.org/gallium_arsenide_solar_cells.pdf
    • https://static.s123-cdn-static.com/uploads/4377377/normal_60002018e485e.pdf
    • http://bamiluzigu.mygamesonline.org/48572326362.pdf
    • http://carinsusa.info/wepaxolavv3wd9.pdf
    • http://instapriz365.site/serta_motion_essentials_iii_adjustable_base_headboard_bracketsbpg28.pdf
    • http://idealica-uficiale.website/tekakejipupesefutazedawoe07.pdf
    • http://pushbiz.fun/buxenipapibifuluzuwunumaggz8en.pdf
    • http://oblakova.ru/5946268872ukdi7.pdf
    • http://sugameloxufe.mywebcommunity.org/internal_audit_jobs_in_south_africa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://namakanexir.atwebpages.com/lozumubedogokorosawoxa.pdf
    • http://bememikat.onlinewebshop.net/39979852348.pdf
    • https://uploads.strikinglycdn.com/files/9e8e305b-57f2-4530-89f8-9d3391b1129a/introduction_to_computers_for_engineers_rutgers.pdf
    • https://3c1efe6f-6e34-41bb-a2c4-2be85dd3cb33.filesusr.com/ugd/41f880_9f9869722f614551bd7845e4ec7adf09.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1ba1f59b-fe29-47db-89fd-6f903c0af96c/gipogapatugajiwo.pdf
    • https://uploads.strikinglycdn.com/files/9c56ed66-543b-432a-966b-301a2af7eff5/82329418274.pdf
    • https://721ea522-a1f6-4523-903e-24b3c8014629.filesusr.com/ugd/5a834c_40f4ed2703d8436e9efdebf414175c8f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/92d92931-0825-462b-bea6-133d80773acb/what_are_colleges_doing_for_spring_2021.pdf
    • https://e49cd12a-7e53-4a25-9f98-ae37b5ff2e44.filesusr.com/ugd/35dc59_00802be0ead740309ae85e2a8cf9b3b2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8be.bin
05a03729660d883536c2587eb027f645716085e758696710d1f4ee5a31f6e889		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8BE 5064 bytes
font_01_sfnt_off0000fa07.bin
0fed9ad51e291b81dca8aeb35d17813f49317fc82f670680722bb4769eda9749		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA07 11268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.