Malicious PDF — malware analysis report

Static analysis result for SHA-256 3cffc69c4d1b7cda…

MALICIOUS

PDF

177.9 KB Created: 2021-05-24 08:49:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 815ba8f65ef7fbbe6c2a30dd87e4c626 SHA-1: 3e22720cffe43dc1dd77ae61317940ab4b234cfa SHA-256: 3cffc69c4d1b7cda729ea5b181c5f2f1a25bb07ccf97d316a7d0b53b1a8582f7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to a suspicious domain, 'xezojetit.ru', which is likely used to host malicious content or phishing pages. The document body is heavily obfuscated, but the presence of the external URI and the overall detection suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=buy+tamil+magazines+in+usa PDF link annotation
    • https://sinegozedajosor.weebly.com/uploads/1/3/1/8/131871849/nogisepasezodi_letop_xawejekepurome.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4504641/normal_602565d40c782.pdfIn PDF document text
    • https://bigimenuxorotel.weebly.com/uploads/1/3/4/6/134655509/5fceb4.pdfIn PDF document text
    • https://besivopu.weebly.com/uploads/1/3/4/7/134705308/1998002.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424935/normal_5fd127fba153b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4377381/normal_5ff2e33e5246e.pdfIn PDF document text
    • https://bizitaninajoki.weebly.com/uploads/1/3/5/3/135316521/4112379.pdfIn PDF document text
    • https://jalewigevat.weebly.com/uploads/1/3/2/6/132681207/29bd3e090168b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4474448/normal_5fc726de04a84.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/tiluwisulepam/what_is_literary_structuralism.pdfIn PDF document text
    • https://s3.amazonaws.com/najipavez/how_to_calculate_the_flow_rate.pdfIn PDF document text
    • https://s3.amazonaws.com/mukut/60313980289.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ec1e3c8-8b64-4ac5-9b32-3d241f5ebcea/53672060224.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2e14d5c-0ed0-4cf6-b532-c852423ff108/42889062964.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ba67fb52-0bf2-4ef3-9186-ad1ef38200b2/how_can_i_talk_to_uscis_customer_service.pdfIn PDF document text
    • https://s3.amazonaws.com/sepawi/61884864565.pdfIn PDF document text
    • https://s3.amazonaws.com/wexukufedepim/latex_algorithmic_package.pdfIn PDF document text
    • https://s3.amazonaws.com/posaxugidut/33030636178.pdfIn PDF document text
    • https://s3.amazonaws.com/lonozote/47839316232.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/62f492d0-624c-450f-818b-d4389b6a4db6/how_to_use_excel_2013_for_students.pdfIn PDF document text
    • https://s3.amazonaws.com/navoburarovada/assignment_method_in_operation_research.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f69ced93-e508-4bbf-a205-f5827b88b093/how_to_become_a_certified_lash_technician_ontario.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00026734.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26734 5108 bytes
SHA-256: fb03f1a2688f41af1798fe8af1de3cb4ab137dcaf47ad5cdf7c932127cf91710
font_01_sfnt_off0002789f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2789F 13544 bytes
SHA-256: 469750555ee0d9beae1c2e698beb57f604b02fc94dc5a0dd1aaafe5916e242cb
font_02_sfnt_off0002a40e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A40E 16192 bytes
SHA-256: 13bf05c00a1cee00238931a2a03bd57d9172ef94cd6b5c373b8281636b230726

Open this report in the interactive analyzer, or submit your own file for analysis.