Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b19ebe722f9356d…

MALICIOUS

PDF

81.1 KB Created: 2021-03-23 08:14:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c35a20c4970ceb44944cd509fd7f58b8 SHA-1: 69b63bf955f4bf7c8ec457781332ba3cabd968af SHA-256: 4b19ebe722f9356df2cbb9bbfb3b780ab865be60064e5adb66b86fd7cf50b6bf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL pointing to 'crophysi.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, appears to contain keywords related to air purifiers, suggesting a lure to trick users into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=oreck+tower+air+purifier+parts
    • https://cdn.sqhk.co/sipebesoxu/gjpcJjg/tozogivubimafoduvoge.pdf
    • https://static.s123-cdn-static.com/uploads/4479905/normal_5fc9d6ea89fa3.pdf
    • https://static.s123-cdn-static.com/uploads/4408873/normal_5ff8cc9a99ef8.pdf
    • https://cdn-cms.f-static.net/uploads/4380680/normal_5fdc4fd67d0c0.pdf
    • http://net-klientov.ru/vovijerorinuwizuxeuepl1.pdf
    • http://tugofexofuwaza.22web.org/gta_5_money_cheats_pc.pdf
    • https://cdn-cms.f-static.net/uploads/4475875/normal_6028c1a99caa9.pdf
    • https://cdn.sqhk.co/fetumamuv/coNyhdk/684056991.pdf
    • http://instacopyrightcenter.com/303815605180lf9g.pdf
    • https://cdn.sqhk.co/durotula/cyxjhwy/zezutemepivalu.pdf
    • https://cdn-cms.f-static.net/uploads/4393188/normal_5fd335ee37f4e.pdf
    • http://badge-verification-center.com/vamodabivowazeguvivujijojo6q95.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2c5a832e-93c4-4ab0-bef0-969ef348d747.filesusr.com/ugd/cc5daa_0ba765dedae7480487f060bf8ac0e753.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8fe71f70-303e-4444-a45a-cb780401fea5/where_can_i_find_my_computers_ip_address_on_windows_7.pdf
    • http://kibeloveze.rf.gd/85068478905.pdf
    • https://ff4d9611-e7ea-45f2-85d3-f0b464ef817f.filesusr.com/ugd/48f461_fac150ae761445cc8fe66730f1c6eea3.pdf?index=true
    • https://9f9bd9fa-00fe-4673-b34e-9a629881f524.filesusr.com/ugd/09273f_d743c161a0334fe99e3f10bf635c93f1.pdf?index=true
    • https://ba428ff1-d53d-4eb5-bdb2-cc960067f420.filesusr.com/ugd/7041e4_6b4183fbf5f74e6698c8dd0579c06b7f.pdf?index=true
    • http://jazifuz.epizy.com/how_do_i_reset_my_samsung_s4_phone_to_factory_settings.pdf
    • https://uploads.strikinglycdn.com/files/4ea84289-1ef7-4c4a-b227-4f4c3daacc45/difegonosudijenomedomo.pdf
    • https://7f993087-45f6-41f4-96e5-9dcaca18fb91.filesusr.com/ugd/9a92dd_1fec0deb3f0443f3b4ad7fd288b4438a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff78.bin
458faea2ad7b9d2cc3ba8933e924533a5e0813380ffcac95917e9616b9041f29		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF78 5160 bytes
font_01_sfnt_off00011130.bin
7ea7174042b61629a73a625325273f3e3f86c26109321998f3e5d1fd238b1120		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11130 11140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.