Malicious PDF — malware analysis report

Static analysis result for SHA-256 4509b63970d6ab42…

MALICIOUS

PDF

78.9 KB Created: 2021-03-26 14:47:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23
MD5: aa42c3ea411f016ac55ca5861daa167a SHA-1: 16c8c3254a45d7a7b5c6987e2071e7bf22919665 SHA-256: 4509b63970d6ab42d1fb7f33e8090fddc94049c2405cb930c4f216b9f5b063c3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to a URL that appears to be a lure, disguised as a manual for a 'Saeco intelia deluxe' coffee machine. This suggests a phishing attempt or a download lure, aligning with the Spearphishing Attachment technique. No scripts were extracted, but the presence of malicious URLs and the nature of the PDF content strongly indicate a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=saeco+intelia+deluxe+hd8758%252F57+manual PDF link annotation
    • http://nutetuxiv.mygamesonline.org/fonixazorisudibewanexeb.pdfIn PDF document text
    • http://viruxego.mygamesonline.org/dirk_gentlys_holistic_detective_agency_book_series.pdfIn PDF document text
    • http://zajiledafalam.getenjoyment.net/23513185744.pdfIn PDF document text
    • http://xagidodovinudu.iblogger.org/microsoft_excel_weekly_calendar_template.pdfIn PDF document text
    • http://lofoporubatul.mygamesonline.org/liwafalapasolupa.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://piperopire.rf.gd/lidobumik.pdfIn PDF document text
    • http://sigivopowofode.epizy.com/praying_to_die_in_islam.pdfIn PDF document text
    • https://s3.amazonaws.com/jokotaziweluge/59326069687.pdfIn PDF document text
    • https://s3.amazonaws.com/dubiditiginowo/how_to_live_a_happy_life_quotes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ae82f2f-6a51-4cfa-803f-e13f7aa7f63a/beats_studio_3_wireless_headphones_best_buy.pdfIn PDF document text
    • http://veramok.rf.gd/fifth_third_bank_auto_loan_payment_calculator.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01fcac72-0e06-44d5-8dd9-04831dc23483/my_many_colored_days_music_lesson.pdfIn PDF document text
    • https://s3.amazonaws.com/sosupejuxofedo/accepted_2006_movie_free.pdfIn PDF document text
    • https://b147a2f3-58af-4013-9def-597e86e94513.filesusr.com/ugd/47d6bb_84feca204a834e32b0fa58667228dd35.pdf?index=trueIn PDF document text
    • https://14319df0-7947-4f0d-bbb3-eaa17d5eb23e.filesusr.com/ugd/c45f38_ca4e7e0037ea4fcf802ef5bbb2fafda7.pdf?index=trueIn PDF document text
    • https://3a7b682b-4b85-4b21-836a-a34929c8735b.filesusr.com/ugd/0cd3a8_34c4b4a8a69c402598c52453a0f1bb2d.pdf?index=trueIn PDF document text
    • https://d798de41-6847-46d1-b877-4f1b84f556ee.filesusr.com/ugd/3e315c_becd328f30d74a76bd31c7dbd27eca88.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/piwanisaj/1530811866.pdfIn PDF document text
    • https://737bf953-b780-43bc-8af0-312ed5328a40.filesusr.com/ugd/017c44_ef026805eeb246f68df71a538813ad41.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bolovopizonuki/tim_grover_book_relentless.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/27c595b1-067e-40cf-90a3-6dc66b51fe1f/how_do_i_adjust_the_volume_on_my_roku_app.pdfIn PDF document text
    • https://98748e4b-3258-471a-903e-8ea98415cca0.filesusr.com/ugd/fd7405_600b7ac5a88b4f0b8245edaf5b080a0a.pdf?index=trueIn PDF document text
    • https://0c6b7a74-1ca0-41da-943c-c268a208a416.filesusr.com/ugd/fef373_475261837b7044519b11db5477f56c73.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae083f73-a383-4382-93ad-ef99854c1e2b/what_does_niv_mean_in_the_bible.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6EC 5508 bytes
SHA-256: c368bb4ded1b06b2a4a6a70c47659e767e63ad1ee365385cdc0e85373feb3eec
font_01_sfnt_off0001099d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1099D 10712 bytes
SHA-256: d240bf5d495b97a6e87892aa3a1ffb2c93ffb96af84771774b369da198d88381