Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b579f632951d3db…

MALICIOUS

PDF

91.8 KB Created: 2021-06-05 05:24:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 000603f98a42c5931da37420ccf70ebe SHA-1: d4def1a106a1dac1ca43c5374f6b02b711fa43b9 SHA-256: 1b579f632951d3dbe6b362665d4d4d9519e3b70fed88d3ce1428748e58c4830c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, with a high risk score. It contains an embedded URL pointing to 'philabc.ru', which is likely used for phishing or to download a secondary payload. No scripts were extracted, but the presence of the malicious URL and the strong detection signals indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/pbw?utm_term=chak+de+india+full+movie+online+einthusan
    • https://rakamukomegu.weebly.com/uploads/1/3/2/6/132681656/3059809.pdf
    • https://lefesime.weebly.com/uploads/1/3/4/8/134882546/261513.pdf
    • https://lamuwopinu.weebly.com/uploads/1/3/4/6/134632291/0c9e3b.pdf
    • https://minadefimufev.weebly.com/uploads/1/3/4/6/134635785/3341601.pdf
    • https://zorepuwozodu.weebly.com/uploads/1/3/4/3/134399810/gevutibukanaz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://giwupiraride.pbworks.com/w/file/fetch/144445875/26182689697.pdf
    • http://redejok.pbworks.com/w/file/fetch/144521145/37277457555.pdf
    • http://ronuzexem.pbworks.com/w/file/fetch/144640992/noxari.pdf
    • http://komogabovuwa.pbworks.com/w/file/fetch/144587331/zulovuxiropatu.pdf
    • http://pusavivo.pbworks.com/w/file/fetch/144571665/71888423202.pdf
    • https://uploads.strikinglycdn.com/files/f776112a-977a-4cb5-83ab-a8689d5c79b3/traductor_frances_espaol_pons.pdf
    • https://uploads.strikinglycdn.com/files/f4480de1-7337-4c2f-8835-98b53f22f84e/ruxinewowiminatowaf.pdf
    • http://wisarazed.pbworks.com/w/file/fetch/144459336/stealth_cam_p12_settings.pdf
    • http://pojaweku.pbworks.com/w/file/fetch/144463500/how_to_put_maytag_neptune_washer_in_diagnostic_mode.pdf
    • https://uploads.strikinglycdn.com/files/94b922a7-6ac1-4cc1-937e-8c3c14d85ec2/pdf_lista_de_verbos_regulares_en_ingles_presente_pasado_y_participio.pdf
    • http://xixokuzujoz.pbworks.com/w/file/fetch/144640854/40552030585.pdf
    • http://wezenibafasi.pbworks.com/f/how_do_i_change_the_4_digit_code_on_my_schlage_keypad.pdf
    • https://uploads.strikinglycdn.com/files/77f3a78e-e8f5-4dc6-bbb3-4ed499e5a316/11611784831.pdf
    • https://uploads.strikinglycdn.com/files/9ee868b9-b90f-484d-ac88-84bf5b5ed035/14639138391.pdf
    • https://uploads.strikinglycdn.com/files/5caa588b-9403-449a-abbb-3986fb47fefb/doctor_zhivago_libro_opinion.pdf
    • http://rimikupababo.pbworks.com/f/73600910326.pdf
    • http://jozeluwofe.pbworks.com/f/keresirupefol.pdf
    • http://panuduxeruv.pbworks.com/w/file/fetch/144585111/kuxuliduzo.pdf
    • https://uploads.strikinglycdn.com/files/1f9a8b75-9d5e-421f-99ff-137ca3245fa7/56149094690.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef8a.bin
5e36529c619d53a8a677a56147af9a310e6bf871a3db51feb83b1f717f5f3811		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF8A 5080 bytes
font_01_sfnt_off00010077.bin
fe30bc9037727649b51e8d218724f3b1819f7093d74a60d9a9c88ae9280b1cf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10077 13880 bytes
font_02_sfnt_off00012565.bin
df6c70c4045f7a5942b29ada1e61564efbe343badf9a225a6781c14810b8382f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12565 11160 bytes
font_03_sfnt_off00014b19.bin
e296a61d2d303e35be9e1a35631556663d2780498efa7e8f3867bf557f172fe6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B19 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.