Malicious PDF — malware analysis report

Static analysis result for SHA-256 28bbc4d20247da11…

MALICIOUS

PDF

74.1 KB Created: 2021-03-13 12:56:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 885387c02b012e6ed6adb18a98880083 SHA-1: b4548f5cd687142e3745b8acc518d32c100ccb12 SHA-256: 28bbc4d20247da11de5ad68c0d6f5a86657cec38178b29648475213fc87e23c8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URI pointing to 'maypoin.ru', which is likely part of a phishing or malware distribution scheme. The presence of multiple suspicious URLs, including one that appears to be a PDF payload, further supports this assessment. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=homonyms+worksheets+1st+grade
    • http://changepass.online/54869240307cc7db.pdf
    • http://fallofelin.online/guide_conversation_anglais_en_ligne3z8s5.pdf
    • http://wonamesavap.iblogger.org/14856946971.pdf
    • http://wijuviniwak.iblogger.org/gowekufatetuvenibud.pdf
    • http://kisuzolaki.22web.org/86207311446.pdf
    • http://qwertyujg.xyz/vakepaberurubebpddn.pdf
    • http://exampl1214.com/bash_scripting_interview_questionswdako.pdf
    • http://sodahq.pro/xcom_2_ranger_buildr2cfb.pdf
    • http://repair-telefonov.ru/57038622370j3nkm.pdf
    • http://it50off.pro/netgear_n300_wnr2000v3_factory_resetlir1p.pdf
    • http://fastpeysistem.online/93814508196tuwor.pdf
    • http://kudopifupelixi.22web.org/singapore_airlines_ticket_information.pdf
    • http://zesizejo.22web.org/the_sandkings_of_oman.pdf
    • http://witexodegimo.iblogger.org/does_advice_have_a_plural_form.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/91730170-6263-452c-b4a6-054daaf3fc19/how_much_do_medical_billing_and_coders_make_in_illinois.pdf
    • http://jurigixa.rf.gd/nafuxesomobepubigewa.pdf
    • https://uploads.strikinglycdn.com/files/67dc9503-d7f7-42d7-b121-43e990cc171b/strikemaster_mag_2000_ice_auger_parts.pdf
    • https://uploads.strikinglycdn.com/files/7fd1ab13-278d-4ae2-80e2-4fff00424b4e/76981797977.pdf
    • https://uploads.strikinglycdn.com/files/bb7cf387-c832-4cb5-8139-028f06b246fc/how_do_i_troubleshoot_my_modem.pdf
    • http://woporebokut.rf.gd/questions_about_yourself_game.pdf
    • http://xurorovesi.epizy.com/42765061621.pdf
    • http://mapupove.rf.gd/xalagatovawa.pdf
    • http://bupuboteba.epizy.com/catalogue_ph_kin_hafele.pdf
    • http://didajuna.rf.gd/the_man_in_the_high_castle_ending_season_1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d7e0.bin
0d5d9cad4d623229ba9720aced4aa1a121804582fbe97a87215f9f678b1b7d6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD7E0 5220 bytes
font_01_sfnt_off0000e97f.bin
ac4298b64d3d93fc48de6d8328a84eddb3c72050575753869fadf49b2bbed2b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE97F 10312 bytes
font_02_sfnt_off00010c3e.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C3E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.