Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e4a9d85fc5bc6d7…

MALICIOUS

PDF

75.3 KB Created: 2021-03-13 13:15:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1cbccc856b3466279c4b1512cef81b49 SHA-1: 17edc4739f541f1e1a2f2433458380a2148df781 SHA-256: 1e4a9d85fc5bc6d7fe2d8a752885f5d29e19daf4de33550e9ae43c67372753ef
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URL that directs users to a suspicious domain, likely for further exploitation. The document body, though heavily obfuscated, contains references to 'Colby campus map' and 'wkhtmltopdf', suggesting a lure to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/aws?utm_term=colby+campus+map
    • http://vijevejumozugim.sportsontheweb.net/jirefolobarefa.pdf
    • http://wopexobow.mywebcommunity.org/a_midsummer_nights_dream_modern_text.pdf
    • http://auth02mobility.com/mercruiser_4.3_efi_oil_type51v84.pdf
    • https://cdn-cms.f-static.net/uploads/4465557/normal_604c99bcb6ad9.pdf
    • https://static.s123-cdn-static.com/uploads/4450636/normal_5ffe28396336a.pdf
    • http://rezanufeku.mygamesonline.org/82402025369.pdf
    • http://meetchambre.xyz/foundation_and_earth_audiobook_youtubepzp2b.pdf
    • https://cdn-cms.f-static.net/uploads/4421940/normal_60304e7711fdb.pdf
    • http://fejugutafilevin.scienceontheweb.net/tififepirukifinetomokomel.pdf
    • https://cdn-cms.f-static.net/uploads/4452588/normal_60326ecc86dd3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/bodajaku/54169473477.pdf
    • https://a2ae8793-a99f-480d-a3bc-849ef63d34f7.filesusr.com/ugd/cc207a_3fc03a332d5a46b29c74ce627bc95440.pdf?index=true
    • https://1d942ef5-affb-47d8-8f99-70a3d187b733.filesusr.com/ugd/3283b0_6837b7ca0eed4c67a608dc66a33625de.pdf?index=true
    • https://e301b21f-f707-426c-a094-6199d4b1a2d6.filesusr.com/ugd/f65518_cb1ef91c793b4c1e88c61fa6b9d26237.pdf?index=true
    • https://s3.amazonaws.com/xewamejixolefaj/77246079410.pdf
    • https://c2267750-1f6d-4c2f-944a-eb302c7f07d7.filesusr.com/ugd/93971e_84c2c700f6614772bed04dfb1a3a52cf.pdf?index=true
    • https://fb79ad55-22b5-4823-9538-35c71bbbd514.filesusr.com/ugd/ea423f_c46df12c5a6f47fea179e192a9ab8c29.pdf?index=true
    • https://8a7e94d2-1b07-4399-8a7b-cfebf1eb419e.filesusr.com/ugd/e78b77_a25d75fbfa67458ab7c129c803e9d0a8.pdf?index=true
    • https://s3.amazonaws.com/jubiferekaka/taiwan_railways_timetable_information.pdf
    • https://3a7b682b-4b85-4b21-836a-a34929c8735b.filesusr.com/ugd/0cd3a8_d67d5e7d7c49445c818c21dea00b8ffc.pdf?index=true
    • https://46c0acaa-de7d-4f46-84f0-c2cf1d8ff7d9.filesusr.com/ugd/ac1638_63a05f719f57494688ce169040bb895c.pdf?index=true
    • https://2a009ac4-5770-49f2-ae16-4ce107243443.filesusr.com/ugd/59deca_3b1fb1f99b5c49ba8fc8ddeb26eeacf5.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddd5.bin
54c87ef5b1cb1eb8c2196c5ee6a873b9076dc10959a29d4f5c09fdd324386871		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDD5 4776 bytes
font_01_sfnt_off0000ee14.bin
4b3158deb83e42993e59d895f82169f166f7a8bade770fad4ae8c0eaf1f76232		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE14 10412 bytes
font_02_sfnt_off0001115a.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1115A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.