Malicious PDF — malware analysis report

Static analysis result for SHA-256 29a83cced6b5cadc…

MALICIOUS

PDF

74.7 KB Created: 2021-04-03 11:23:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f6b34a819b39f3caccb98b714eb3a355 SHA-1: 4bc966d98feee43f59f874b497ffb14fdcc9a8b8 SHA-256: 29a83cced6b5cadca6694e49921019240905a1d1561e85d4d145d5d30e4a3418
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=malibu+low+voltage+lights+by+intermatic
    • http://reggis.info/greenworks_mo13b00_vs_25112dtxd9.pdf
    • http://jiletos.22web.org/10944467342.pdf
    • http://indital.fun/tissot_t_touch_lady_solar_manualxsq9e.pdf
    • http://masimepipet.22web.org/possessive_adjectives_long_form_spanish_worksheet_answers.pdf
    • http://peuly.xyz/bulojimabizofjr8yr.pdf
    • http://pifanaliriwabo.mygamesonline.org/cambridge_english_proficiency_cpe_masterclass.pdf
    • http://kaboliwup.mypressonline.com/sat_review_courses_near_me.pdf
    • http://gazozaxuk.getenjoyment.net/difference_between_balance_of_trade_and_balance_of_payment.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://df6a9abb-74f3-47e1-b359-fe6d1019da36.filesusr.com/ugd/7921d2_8b6f00564cf643d381ea08d48d81c67d.pdf?index=true
    • http://zunasolaxugi.epizy.com/36629908319.pdf
    • https://uploads.strikinglycdn.com/files/c571a519-f34a-4d68-bcd0-9b137bc097e1/agile_methodology_scrum_and_sprint.pdf
    • http://kutoxinupuroxo.onlinewebshop.net/credit_risk_management_tools.pdf
    • https://uploads.strikinglycdn.com/files/51ee2cff-04a6-4994-8f49-a10f5ae390f8/cyberpunk_2077_update_patch_notes_ps4.pdf
    • https://e20d271a-53e3-41f9-9180-d6cd5f9fd148.filesusr.com/ugd/6cfc61_4021a9456c174c1f95837a1b3b365467.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bc75c479-131f-4347-a9ab-6ef520f082a4/fevovula.pdf
    • http://tefokubekaxo.rf.gd/dezupotigemor.pdf
    • https://a4758657-6aaa-4003-b0f6-1957e800abfd.filesusr.com/ugd/70c1f8_51f02468ae0647c7b4c4687c23b84d0a.pdf?index=true
    • https://88749095-6fd7-453f-8e8a-15b48fe47dd1.filesusr.com/ugd/e4d7df_f8101b855cb6422bbf9f9d5909aeb63f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b030c8ce-22c0-4473-9014-ebb7167ec1da/51764782743.pdf
    • https://2a082fd4-e93f-4b8e-9e59-408fa046b31c.filesusr.com/ugd/e334dd_bad46c0fd6b3445cb91d97e56ceb848e.pdf?index=true
    • https://76c9fb28-c10e-4950-85be-37de24a2ede8.filesusr.com/ugd/fa32a6_afb9cd59821049f6a35d8ac77864a3d6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c39f0a59-55cf-43bf-b679-4b9db0f132fb/self_reliance_outfitters_hd6_ferro_rod.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2af.bin
82213058af6e0aa741306f23d576394082643b70bab5cbdc34539e0426c9a90e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2AF 5612 bytes
font_01_sfnt_off0000f5c5.bin
75bf3942738940dd67e662d8d9bbf3c6ab35e9c7555622d02fdae535be392d94		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5C5 11052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.