Malicious PDF — malware analysis report

Static analysis result for SHA-256 380a419fbd041666…

MALICIOUS

PDF

74.4 KB Created: 2021-02-28 18:54:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 290535b1cf4d7d9769d443d5f6405ad4 SHA-1: ae49eba825ddb0fec70dc017be94445be80c43d3 SHA-256: 380a419fbd041666077c96d799090cf35896ff0e6aca35575dcfd31a4eaab35e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The document body, though heavily obfuscated, contains text related to 'battery tender' which aligns with the external URI's query parameter. The presence of multiple embedded URLs suggests an attempt to redirect the user to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=what+is+the+best+battery+tender
    • http://poguferuliwu.iblogger.org/christening_background_design_free.pdf
    • https://dotanivim.weebly.com/uploads/1/3/4/7/134705276/522aa6d93183.pdf
    • http://wulutapebime.getenjoyment.net/yamaha_mg10xu_usb_connection.pdf
    • http://futup.ru/little_horse_running_fastnzx3b.pdf
    • http://befotuke.mywebcommunity.org/51715965225.pdf
    • http://idslim-italia.site/fruits_quiz_questionsmquy7.pdf
    • https://rifatusozoked.weebly.com/uploads/1/3/2/6/132681337/kopawu.pdf
    • http://manovina.mypressonline.com/skyrim_special_edition_how_to_install_mods_vortex.pdf
    • http://sixesijilolun.mywebcommunity.org/flavors_menu_dunkin_donuts_names_with_pictures.pdf
    • https://fozipapuratub.weebly.com/uploads/1/3/6/0/136088586/2144adcf494d.pdf
    • http://suziterunedoloj.sportsontheweb.net/how_to_use_youtube_on_wii_u_without_gamepad.pdf
    • https://cdn.sqhk.co/gulizate/hg9QTid/punovunexitatuzelagoz.pdf
    • http://tixesikixux.mygamesonline.org/87267402393.pdf
    • https://budasanufewe.weebly.com/uploads/1/3/5/3/135323580/3374066.pdf
    • https://wuxebejodivo.weebly.com/uploads/1/3/6/0/136030931/zigalilugukasumemi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://weruxuf.rf.gd/38772300266.pdf
    • http://mutojux.epizy.com/fallout_4_settlement_beginners_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5e4.bin
0f9fcc286a1c8152f545a6cbe56901a68b09f4de8d9fcaeeb4cb33e1c112eea6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5E4 5136 bytes
font_01_sfnt_off0000f763.bin
6e905cb0225bdbcc5a5a68eb6ed24cfb4147b969e43968bf286ae9d82bf938a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF763 11004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.