Malicious PDF — malware analysis report

Static analysis result for SHA-256 28bf75c2b5d3e117…

MALICIOUS

PDF

197.6 KB Created: 2021-03-15 04:48:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0ea5e472fbab4fee61a946a0240b055c SHA-1: 79d1d579a290c4a033a8f974108ed1b33060d273 SHA-256: 28bf75c2b5d3e1174acc765a7e5adca96f0e2e8ff192937ab342f874ff272c59
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ClamAV as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely used to deliver a malicious payload or conduct phishing. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the presence of the external URI suggests an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9793

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=demon+slayer+english+dub+crunchyroll
    • https://cdn-cms.f-static.net/uploads/4479470/normal_603c483dc6145.pdf
    • http://kolagozisil.mywebcommunity.org/71251025751.pdf
    • http://sedouche.xyz/budanezalodebixenamlag4l.pdf
    • https://cdn.sqhk.co/duxajoje/RjehiI3/octopus_apple_watch_band.pdf
    • http://cryogen.me/9739418656684jsr.pdf
    • https://static.s123-cdn-static.com/uploads/4412160/normal_600724822afeb.pdf
    • https://cdn-cms.f-static.net/uploads/4445104/normal_601469f492537.pdf
    • https://cdn.sqhk.co/buwuvibija/gihjrhb/53663045151.pdf
    • https://static.s123-cdn-static.com/uploads/4420238/normal_5feefffdb6505.pdf
    • https://static.s123-cdn-static.com/uploads/4404727/normal_5fdfb984c8c6d.pdf
    • https://cdn-cms.f-static.net/uploads/4459777/normal_602660cca482f.pdf
    • https://cdn.sqhk.co/zotenejek/Vid0Zif/majara.pdf
    • https://cdn-cms.f-static.net/uploads/4446921/normal_5fe6e30d04866.pdf
    • http://purpless.vip/muwopvy12y.pdf
    • https://cdn.sqhk.co/gepeduvo/fVYjhju/latest_bollywood_movies_2019_site.pdf
    • http://gomijexa.mywebcommunity.org/salmos_himnos_y_canticos_espirituales.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9a4b5e96-23fe-4021-9525-787506808755.filesusr.com/ugd/b3318b_a7d1799d0e3f455cbbf3557e15f3130b.pdf?index=true
    • https://5a8aee2d-3d68-4c09-98ed-743c9c56d6fd.filesusr.com/ugd/460efe_f10f5c52e2474d7c9d311fd95b4001f0.pdf?index=true
    • https://828c6a01-da61-4814-986a-f72e64f4f334.filesusr.com/ugd/cdfdba_ceca93dff9eb4ddf9c49d5ee8d8f3cbc.pdf?index=true
    • http://nakixaxev.myartsonline.com/niwujugepaxuvoribiwaro.pdf
    • http://sukokovevaz.atwebpages.com/how_to_control_volume_with_xfinity_remote_app.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0001a574.bin
a8849b7e48b48bfd016398a03f0c68852310f19ae80a47394242f02cb80f3cd1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A574 84688 bytes
font_01_sfnt_off0002a3bf.bin
adf99ef053ee8f80d0db860227ca94aae89fed84655c5e627d6a2477d2db3e3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A3BF 5592 bytes
font_02_sfnt_off0002b699.bin
bcf0525a7ff1c385a634afb4a0a8e98e8db92e66724ea927753ff641b0df7c6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B699 3808 bytes
font_03_sfnt_off0002c57f.bin
9975949f881925a1e82326c1f9e710eca70afc39af60bd960d7045356bb0ca6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C57F 12588 bytes
font_04_sfnt_off0002efc6.bin
6cbe3ac9e172e8bae055fba86092fcd672f61555ab01df205b93e20211473cad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EFC6 16376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.