Malicious PDF — malware analysis report

Static analysis result for SHA-256 1eba5eb35068f2a0…

MALICIOUS

PDF

79.6 KB Created: 2021-03-11 17:06:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c6bac74fccf80f145e7ff2208cbc72a SHA-1: d50772521c6ec2f26275b130fc0f51cd851a0b59 SHA-256: 1eba5eb35068f2a044e55c52c8844fc49805d5f187e88c39e9becc2848419522
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded URLs and is flagged by ClamAV as a phishing trojan. The ML classifier also strongly indicates maliciousness. The document body, though heavily obfuscated, contains text related to a Punjabi movie, suggesting a lure to trick users into visiting the malicious URL for a fake download. No scripts were extracted, but the presence of external URIs and the overall detection profile point to a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=chauthi+koot+punjabi+movie
    • https://cdn-cms.f-static.net/uploads/4495694/normal_60233d6f1d701.pdf
    • https://cdn-cms.f-static.net/uploads/4483610/normal_6044a690a52b0.pdf
    • https://cdn.sqhk.co/waxubisolo/am6kchd/26951797254.pdf
    • http://adminhalil.com/how_do_you_reset_a_schlage_electronic_door_lockc9pys.pdf
    • https://cdn-cms.f-static.net/uploads/4446260/normal_601d37810447f.pdf
    • https://cdn.sqhk.co/janawezexoj/iehdd7j/85159118208.pdf
    • http://feelslike35.com/formato_de_inspeccion_de_vehiculos_en_exceldp531.pdf
    • http://lnstagramverifiedbadge-media.com/91234869236pov3m.pdf
    • https://static.s123-cdn-static.com/uploads/4373264/normal_5ff807ad85e45.pdf
    • https://cdn-cms.f-static.net/uploads/4460970/normal_6009db09dbd93.pdf
    • https://static.s123-cdn-static.com/uploads/4412780/normal_5feb989b4f808.pdf
    • https://cdn-cms.f-static.net/uploads/4491670/normal_5fd31144cdccc.pdf
    • https://cdn-cms.f-static.net/uploads/4445550/normal_600be2a37e1ac.pdf
    • https://cdn.sqhk.co/lusikagidet/khaic2Q/bullet_hell_monday_black.pdf
    • https://cdn.sqhk.co/zumedizojas/jbhgjaX/movavi_video_editor_windows_10_download.pdf
    • https://cdn-cms.f-static.net/uploads/4379982/normal_5fd1378427ab5.pdf
    • https://static.s123-cdn-static.com/uploads/4371246/normal_5feb78726740b.pdf
    • http://scotiaenlineape-personas.com/lesorijuvawigefeponurubebabbv.pdf
    • https://static.s123-cdn-static.com/uploads/4462775/normal_5ff9b14883363.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/7487db56-09e1-4106-b389-4699997eb767/rijugafosulizoz.pdf
    • https://uploads.strikinglycdn.com/files/9ad425be-c08a-44a9-b050-9662c09da25d/bivukidodavep.pdf
    • https://uploads.strikinglycdn.com/files/128aa1c4-28f8-47ed-a2ab-e7f31009cf01/irobot_roomba_e5_5176_price.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef7b.bin
a943806aab183d7014b815e1694033664e6e4f565eecf8af5f7d254e5702d5c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF7B 4996 bytes
font_01_sfnt_off00010055.bin
da402d51366bae46a1936c5e05531674ee4d045de8476b5f88312279a92c3a01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10055 2840 bytes
font_02_sfnt_off00010c68.bin
badb2f7d93c8765aedc90e3e3b98d5bcd307799ae2e51b353c51ccc3965866f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C68 10164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.