Malicious PDF — malware analysis report

Static analysis result for SHA-256 2593c70e9918474e…

MALICIOUS

PDF

82.6 KB Created: 2021-03-24 09:55:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd1e06091eafb74ffb05811160663afb SHA-1: d19dfc9911b6dbb6b0a5d2055690f616e92f6d03 SHA-256: 2593c70e9918474e4d1283e5d263f8c4bfe0ebb0260d2d6078eef5bbdc95370e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a site disguised as a search result for remote control codes. This URL is flagged as suspicious and is associated with a ClamAV detection for a phishing trojan. The ML classifier also strongly indicates maliciousness, suggesting the document is designed to trick users into visiting a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9925

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=sanyo+tv+universal+remote+codes+5+digit
    • http://dipolomisegon.iblogger.org/kikezitagasor.pdf
    • http://kizefet.iblogger.org/dozikotewete.pdf
    • http://lenagilos.22web.org/ashrae_standard_52._1_free.pdf
    • http://nafivonafiriba.iblogger.org/klebsiella_pneumoniae_antibiotic_resistance.pdf
    • http://nopatoveji.22web.org/92287075550.pdf
    • http://zavifuvalo.22web.org/64285037371.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fonaxipovun.epizy.com/gixiku.pdf
    • https://101c3d73-5e22-4da1-a203-a3a2a794ce88.filesusr.com/ugd/69a512_b4bd020db7674f89944512d6e2f3d36e.pdf?index=true
    • https://s3.amazonaws.com/gadumagabusodel/film_bajaj_bajuri_the_movie_mp4.pdf
    • https://b86313a8-447b-404d-ae6d-bc69740d899e.filesusr.com/ugd/e54fc7_361d520c4b7a4a468f267752ccd8944d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/07aa42a8-dca9-472c-a7d6-eaf9e2210072/23312674305.pdf
    • http://nofexezizakizu.rf.gd/definicion_de_analisis_de_riesgo.pdf
    • https://c064424b-11a8-4e39-a524-24a74bcd733d.filesusr.com/ugd/54e393_827890d06dfb48ffa68af4aa9831ffe3.pdf?index=true
    • http://bozopuzele.epizy.com/nedaludajego.pdf
    • http://lasemiduje.rf.gd/80913279460.pdf
    • http://pagupim.epizy.com/86487459952.pdf
    • https://uploads.strikinglycdn.com/files/a15714cc-55ff-436b-8555-8f596844a7fc/94963149442.pdf
    • https://s3.amazonaws.com/fadadedezeker/nanepubaxumido.pdf
    • https://uploads.strikinglycdn.com/files/3c4fba97-b1d2-40dc-b8d8-6a0069850cce/que_se_necesita_para_una_fiesta_de_presentacion_de_3_aos.pdf
    • https://8860adff-7f0b-4cf3-a358-cdd560dff136.filesusr.com/ugd/625844_01744519f85041caa8bf51727184437a.pdf?index=true
    • http://gisevidar.rf.gd/gandhiji_easy_images.pdf
    • http://pugetuwozijeso.rf.gd/banjo_video_song_hd.pdf
    • http://gedaseda.rf.gd/maplestory_leveling_guide_pre_big_bang.pdf
    • https://s3.amazonaws.com/bezorito/bairnsdale_secondary_school_uniform.pdf
    • https://2e81f42f-67f9-46a9-89e2-a5f3ab3b03ee.filesusr.com/ugd/f138f5_f233ff21115d4f61b29a0e17f1a5dbf1.pdf?index=true
    • http://fofuxolisemaxim.epizy.com/19632506446.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eba2.bin
e9df1abf47a688c52bbf36275161d4c71dd3d5463c3e540779115c3c600865d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBA2 3304 bytes
font_01_sfnt_off0000f788.bin
8f5b903604946be380262ea210c693c217b261636660b7774f4b0962f40116b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF788 5532 bytes
font_02_sfnt_off00010a40.bin
c4c1e77123a6b125fda71137b379dff15eb69f3cbf40592c566e347b366f1c31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A40 10436 bytes
font_03_sfnt_off00012dc2.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DC2 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.