Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fca00867f3f0482…

MALICIOUS

PDF

96.8 KB Created: 2021-03-31 01:38:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d6c953a25ddeae5a19faff65ae47a8bf SHA-1: bd495a189fe5eba9ae1656c6185760c1b239e84c SHA-256: 1fca00867f3f048217bb134ab0162001f9aae2b09094c23f08142514727028ed
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI that redirects to a URL associated with phishing. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to deliver a phishing page or download a second-stage payload. The document body, though heavily obfuscated, appears to be a lure related to educational materials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=modern+chemistry+chapter+6+worksheet+answers
    • https://tovalikesugijid.weebly.com/uploads/1/3/4/1/134108564/9012484.pdf
    • http://cloudplay.xyz/golf_buddy_vs4_price2fgu2.pdf
    • http://razvivatel.blog/39309735311a1axk.pdf
    • https://cdn-cms.f-static.net/uploads/4411228/normal_605a52e675465.pdf
    • http://antileqphh.site/xeboso3db6w.pdf
    • https://cdn-cms.f-static.net/uploads/4476427/normal_60420939e31da.pdf
    • http://normab-id.com/dakuvorizabi7nrz3.pdf
    • https://cdn-cms.f-static.net/uploads/4492257/normal_605a71e6b47d7.pdf
    • https://jelimofinumalo.weebly.com/uploads/1/3/4/6/134669039/wajopemi.pdf
    • https://static.s123-cdn-static.com/uploads/4412900/normal_6001804a78abd.pdf
    • https://cdn-cms.f-static.net/uploads/4472760/normal_603e67e5170e3.pdf
    • https://static.s123-cdn-static.com/uploads/4480755/normal_5fc882c1b4f10.pdf
    • https://vuxuminitemup.weebly.com/uploads/1/3/0/8/130874085/getegaz-nevasovo-dulasebaxetagob.pdf
    • https://vuvudosav.weebly.com/uploads/1/3/4/5/134579130/faseb-patawafu-gegos.pdf
    • http://fadekitexef.iblogger.org/451520259.pdf
    • https://cdn-cms.f-static.net/uploads/4454550/normal_60445b500eab9.pdf
    • https://static.s123-cdn-static.com/uploads/4425908/normal_5fc8fa6b792f7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0ffdd24b-620b-4f4d-94ef-a39da1ca20bd.filesusr.com/ugd/853ce2_fe4dc7631a4e42c9941eb94399456058.pdf?index=true
    • http://penenidapuveg.epizy.com/98632882470.pdf
    • https://1a6defe7-92a0-4357-8a70-d3bce85d30c9.filesusr.com/ugd/385065_403b731e3a7649d8b017c392a1c88d2c.pdf?index=true
    • https://bdc3fad0-85dd-4e34-85f7-620d54d4ff6f.filesusr.com/ugd/10cedf_cda24710e4c44c8891235dabfe32f0b1.pdf?index=true
    • http://xolemobubusosi.rf.gd/lowef.pdf
    • http://vusebajawibapun.rf.gd/pistol_spread_offense_playbook.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011eb8.bin
4bd4b03bfbcc8a9e170da3eab702a42f5989af31aee4e3fb4e2f6e15b8d4b25d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EB8 5700 bytes
font_01_sfnt_off00013218.bin
66b4d075c15b6f9004ccf71bbd6542b013e675ed7891c448af3abb34594738d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13218 13716 bytes
font_02_sfnt_off00015ddf.bin
4189bb5d82d37c3b06c761c00ca3b3c8a7a7312639514cd6a20481e76712d457		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15DDF 16388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.