Malicious PDF — malware analysis report

Static analysis result for SHA-256 293244a5e6bf003c…

MALICIOUS

PDF

75.1 KB Created: 2021-03-24 16:59:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2e675164c9eae190b3cf90d8a96476c9 SHA-1: 27e726eb70ab4874b9512f7fa8952d4fddccad1e SHA-256: 293244a5e6bf003cc4a70a7fdfcba4488ab1a1c6d9f55bf6369f099f8885c70a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified as malicious by ClamAV and an ML classifier. The document body, though heavily obfuscated, contains strings related to 'Avery label template 5160 excel', suggesting a lure to trick users into visiting the malicious URL. The presence of embedded URLs and the overall detection by multiple security tools indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=avery+label+template+5160+excel
    • http://tonemisi.medianewsonline.com/introduction_to_anthropology_psychology_and_sociology_grade_11_textbook.pdf
    • https://static.s123-cdn-static.com/uploads/4406497/normal_5fee2a4fac474.pdf
    • http://xuwuvewisin.mypressonline.com/oral_drug_delivery_system_review.pdf
    • http://nomerojelevat.22web.org/5_point_rating_scale_for_performance.pdf
    • https://cdn-cms.f-static.net/uploads/4475219/normal_602b693e521a2.pdf
    • http://rolivazugatar.scienceontheweb.net/weber_spirit_e-210_vs_e310.pdf
    • https://static.s123-cdn-static.com/uploads/4459922/normal_5ff548b1169d7.pdf
    • http://zibodotuf.mygamesonline.org/59518858531.pdf
    • http://magatapomuv.22web.org/clinton_township_police_accident_reports.pdf
    • http://jalazekesofijot.medianewsonline.com/42220562631.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://c9977776-9e37-4432-9eae-e541147807da.filesusr.com/ugd/bb6cc6_c38807006dbb453ebb8aea1e80c17f42.pdf?index=true
    • https://s3.amazonaws.com/pilazi/10721839819.pdf
    • https://uploads.strikinglycdn.com/files/e3a99501-ba9e-4d0e-aea7-5ff87946fb26/tudabowevezilaruf.pdf
    • https://uploads.strikinglycdn.com/files/6bf5ea7f-529b-404b-b041-2f5e07a252fd/11389027290.pdf
    • https://b67fa923-03b4-4d21-b555-95ff628d7525.filesusr.com/ugd/1d4b90_27a0e17b23bb441187c1b03983f11964.pdf?index=true
    • https://c6111751-42b6-464f-a8b1-832d492ff999.filesusr.com/ugd/3d0627_72bc9f95db9e4bcd90441871210cb49d.pdf?index=true
    • https://s3.amazonaws.com/mesotodimus/information_about_budhanilkantha_temple.pdf
    • http://jugututinotu.rf.gd/9511056560.pdf
    • http://suvoxezol.rf.gd/26513337802.pdf
    • https://uploads.strikinglycdn.com/files/4cdc54b5-569f-4b9d-918b-eb417fb25d9e/sag_low_budget_digital_waiver_rate.pdf
    • https://uploads.strikinglycdn.com/files/4c148279-e3d0-4e0b-b251-978c93f73f59/how_do_i_get_sound_on_my_akai_mpk_mini.pdf
    • https://74fc1a11-d445-4ffb-bc6b-7a79e5a65a18.filesusr.com/ugd/097bd5_7f05793594864a55a22c99b33e694651.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8cb.bin
cebc90df2c8d06b699907f42e2661c0b2fa1fa15832ccf5e9a924095e027bd0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD8CB 5256 bytes
font_01_sfnt_off0000eac4.bin
d52827d3c1775121e697b2d077c91957076bc9a6ed762a285d936f51c5ec1e68		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAC4 11196 bytes
font_02_sfnt_off000110e4.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110E4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.