Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d569dd82ad5b4d5…

MALICIOUS

PDF

78.7 KB Created: 2021-03-31 16:14:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e98791074a95103fd195fafab0144557 SHA-1: d06e5c4513fd2ba5c5b49dfdc96abaac0d142a4f SHA-256: 1d569dd82ad5b4d59e1953d2954c02182230114989d91e63d7297a09a3085e21
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URL that points to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, appears to be a lure related to 'Aviones alemanes segunda guerra mundial pdf', likely intended to trick users into visiting the external URL for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=aviones+alemanes+segunda+guerra+mundial+pdf
    • https://cdn.sqhk.co/noxomosanena/ekWigja/vocaleapp_cheap_international_calls_app_for_iphone.pdf
    • http://lozejebivo.scienceontheweb.net/principles_of_naval_architecture_vol_3.pdf
    • http://bewizasosu.sportsontheweb.net/pafumirimulizawamibu.pdf
    • http://mawosatejojeka.sportsontheweb.net/eton_mini_compact_am_fm_shortwave_radio_review.pdf
    • http://busivel.xyz/tp_link_n750_access_pointgj9ae.pdf
    • https://jubaluwaruzazux.weebly.com/uploads/1/3/2/7/132740890/fotosisofu.pdf
    • http://naturaleone.space/sademowetalafoly3hcp.pdf
    • https://cdn.sqhk.co/vuwonesi/gipjcow/running_on_empty_lyrics_meaning.pdf
    • https://turarizamagux.weebly.com/uploads/1/3/1/4/131453837/lovupijerivufu.pdf
    • https://cdn.sqhk.co/dewozoju/8gjPJNB/nukavudivasenemigazudu.pdf
    • https://cdn.sqhk.co/verexoleki/3MlejiT/fuzoj.pdf
    • https://fufuwotasivixi.weebly.com/uploads/1/3/5/9/135966690/kigifodetobi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1d812fcc-cfc3-4558-a870-56fc5b7f4c2e.filesusr.com/ugd/754d94_541d4af1ba0548fe9c3d9f70e1a46fa7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d24d0611-6ad8-44ab-a54d-875d1a16cbb6/fepiluxavobig.pdf
    • https://e06e8306-d71e-4c92-aa1b-e8c52eeb44cb.filesusr.com/ugd/bc4951_5aee09db9af04d19a2e237672cfdd8dc.pdf?index=true
    • https://1b6fe947-be7e-4494-9a94-f566f178d3d1.filesusr.com/ugd/89064d_6cb98f1607ba4758bac57df133515bdd.pdf?index=true
    • https://f8b2de7a-6012-4721-b8f1-df5267d6bb95.filesusr.com/ugd/8ebb60_61827748a48841babb0bacac81489478.pdf?index=true
    • https://uploads.strikinglycdn.com/files/60a5681a-eb66-4664-8e2c-3518965a47a0/siemens_thermostat_rdh10rf_problems.pdf
    • http://jojulupijawide.onlinewebshop.net/bonos_menu.pdf
    • http://liraperuwuw.atwebpages.com/clear_sky_chart_android_app.pdf
    • https://uploads.strikinglycdn.com/files/47cccf2c-c97a-4e4a-ac28-36811973cd8b/how_to_troubleshoot_bosch_washing_machine.pdf
    • https://uploads.strikinglycdn.com/files/03dd2fc1-9c54-42b2-ad7d-8b42acf606b7/6452903669.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2b1.bin
f2d2e30e5ec5633e41ae6c70c65a3c1ed83b25233146c1d02cd1556a17b1769e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2B1 5412 bytes
font_01_sfnt_off0001050a.bin
3d74be992a9ceea7b03339a01a091f81c2c192d1f7384a9184e88dca0752e523		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1050A 12912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.