Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c5ec5a8cf322470…

MALICIOUS

PDF

97.9 KB Created: 2021-02-18 20:25:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1643615298285001b029d274f06599f7 SHA-1: ba79427e3259ba2521208c16594d31fd04a469f2 SHA-256: 3c5ec5a8cf32247084e441fc17280e77b45681d64196e380c3b6c05753516046
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL. The ML classifier and ClamAV detection strongly indicate maliciousness. The document body, though heavily obfuscated, appears to be a lure related to 'production forms' to entice users to click the external URI.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/123?utm_term=what+are+the+three+forms+of+production
    • https://static.s123-cdn-static.com/uploads/4419195/normal_5fef82f89cd4a.pdf
    • https://static.s123-cdn-static.com/uploads/4452599/normal_5ffae7a6176dd.pdf
    • https://static.s123-cdn-static.com/uploads/4487935/normal_6008d1de12ef8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/boduxatavepe/13705290492.pdf
    • https://s3.amazonaws.com/gupojakami/sanogakudumemejixeb.pdf
    • https://s3.amazonaws.com/wudibirewuduto/nazop.pdf
    • https://s3.amazonaws.com/purufiz/bombay_dyeing_bedsheets_double_bed.pdf
    • https://s3.amazonaws.com/toniseligiwuzux/centrifugal_fan_types.pdf
    • https://s3.amazonaws.com/lezopobigeza/onan_4000_rv_generator_starter.pdf
    • https://s3.amazonaws.com/kegovev/stock_markets_open_on_weekends.pdf
    • https://s3.amazonaws.com/wamatasamegu/pak_army_black_uniform.pdf
    • https://s3.amazonaws.com/pivetuzadujo/transform_fault_boundary_meaning_in_tagalog.pdf
    • https://s3.amazonaws.com/lulelepese/20515380674.pdf
    • https://s3.amazonaws.com/jepavilutabilel/19701711342.pdf
    • https://s3.amazonaws.com/viromibukoleliw/6279630653.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014458.bin
1fef549d63e46c4bb1abe12113d0dda88ad10d63cbf36bf4fa8a19645e30a275		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14458 5376 bytes
font_01_sfnt_off00015683.bin
a6e136638b869511bf53a5ca2435e8dadec11a883d45c244b673b7f91867ecb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15683 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.