Malicious PDF — malware analysis report

Static analysis result for SHA-256 4763d684c928e6b2…

MALICIOUS

PDF

79.0 KB Created: 2021-05-01 14:24:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75d143a4c33ade1c224c40d556ff698b SHA-1: d49ea7bae61d5d2840826dd48059b2a7d315c8ed SHA-256: 4763d684c928e6b2eedd334ea6f527fe52957f50c3ed1b3934932aa6fe9a50fb
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains heuristics indicating external URI usage and a ML classifier strongly flagging it as malicious. The document body, though heavily obfuscated, appears to reference a water heater, suggesting a lure. The presence of multiple URLs, including one flagged as malicious, indicates an attempt to redirect the user to a compromised site. ClamAV detection further confirms its malicious nature, classifying it as Pdf.Phishing.Trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=ao+smith+promax+electric+water+heater+not+heating
    • http://gisejol.iblogger.org/format_of_job_letter_for_class_12.pdf
    • http://wwwbcpzonasegura-viabcp.com/42852125007vbk3m.pdf
    • http://mantenancie.com/canzoniere_italiano_per_chitarra7xae3.pdf
    • https://static.s123-cdn-static.com/uploads/4449424/normal_5ffd7daa2e106.pdf
    • https://cdn-cms.f-static.net/uploads/4457843/normal_60584fb94ab47.pdf
    • http://begdas.fun/800_words_season_1_episode_4csnnc.pdf
    • https://cdn-cms.f-static.net/uploads/4489846/normal_5fdb250a7dc90.pdf
    • https://cdn-cms.f-static.net/uploads/4403820/normal_60472a02e885c.pdf
    • http://about-central.com/75313527200lulb7.pdf
    • http://begdas.fun/800_words_season_1_episod
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a3a0a4f4-628a-48cc-859d-616d86d1b881/21733039546.pdf
    • http://zejizarizigoz.epizy.com/jesorixojugeweto.pdf
    • http://gagivipupine.epizy.com/cifra_club_apk.pdf
    • https://uploads.strikinglycdn.com/files/9ce706dd-5682-4875-a434-6e9d2e0754c3/mr.grinch_song_lyrics_karaoke.pdf
    • http://jufalemel.rf.gd/notuzi.pdf
    • https://uploads.strikinglycdn.com/files/954dfdcb-1d40-4634-9c85-4878e4696afe/75075860452.pdf
    • https://uploads.strikinglycdn.com/files/0fa14ff4-b2a4-453e-a963-b6276c8b2784/tidifani.pdf
    • https://uploads.strikinglycdn.com/files/3265af61-5fa5-4c30-901a-ec2499dad755/how_to_use_snapshots_helix_lt.pdf
    • https://uploads.strikinglycdn.com/files/3a39f9a7-c7e5-4a7e-8ddc-dfb48db3314b/is_dr_berg_legitimate.pdf
    • https://s3.amazonaws.com/wejuvono/aol_desktop_app.pdf
    • https://uploads.strikinglycdn.com/files/f3d429ed-6250-45be-aa04-68ac564f2d8f/how_to_wrap_a_present_with_curly_ribbon.pdf
    • https://s3.amazonaws.com/mogedozara/nadonemonatowedagerivele.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f62f.bin
223e14edcdbc8023203ab883d5248fb9e7d115f51f7bb60156d3322d5d6a50ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF62F 5496 bytes
font_01_sfnt_off000108cd.bin
32c213e89e37e375a41b3b5151ecd7d626a53d79e5fcf0c22f79372f807cfd12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108CD 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.