Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c7c6677921e717f…

MALICIOUS

PDF

81.1 KB Created: 2021-03-19 08:11:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4a4501d4a005f48049e0f248ee2a0f2e SHA-1: 2297fe5a2adaaf8b0bf9cd967251e1dee4e06163 SHA-256: 4c7c6677921e717fd288406404c155a11744c2cce350cca0ae7b23bafdaa106a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL points to a domain associated with phishing, and the document body, though heavily obfuscated, suggests a lure related to financial misconduct. No scripts were extracted, but the presence of external URIs and the overall detection profile strongly suggest a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=do+peculato+mediante+erro+de+outrem+culposo
    • http://reduslimitalia-official.site/excellent_vs_very_good591u7.pdf
    • http://gufurebu.medianewsonline.com/lg_4g_lte_price_in_ghana.pdf
    • http://badge-verification-center.com/steel_division_2_deck_guiderq49p.pdf
    • http://tibetterrier.ru/wasumizalenotodawobaaosqz.pdf
    • http://dufifudusimube.mygamesonline.org/31504159874.pdf
    • http://sanatoriy-izumrudny.ru/openvpn_for_android_latest_apk_download3f5x9.pdf
    • http://kdghy.online/beginner_novice_expert_levelsmq7ul.pdf
    • http://mrshadow.net/addition_of_fractions_worksheets_grade_53w8ki.pdf
    • http://iclod.tech/dunkin_donuts_menu_low_calorie_drinks0wc5k.pdf
    • http://socialwave.me/kepomaviju7m09.pdf
    • http://mydenverneighborhoods.com/1645410278878fgg.pdf
    • http://gtmedis.com/24722433829d6gt2.pdf
    • http://normaa-id.com/418357484d2ql3.pdf
    • http://tixshopclub.space/first_grade_printable_spelling_worksheetslphik.pdf
    • http://jabilevij.mypressonline.com/21113737138.pdf
    • http://kinoogf.space/80310795147xrqet.pdf
    • http://mavito.online/nanetusasomi3ieow.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4590046d-f0a9-4171-b8a0-56ff8c1fe63c.filesusr.com/ugd/0bfb20_1ba683fa81db4f64a3e06a579ea7bfbf.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b483e72f-5885-48bb-b6e4-367633126686/17812067140.pdf
    • https://828c6a01-da61-4814-986a-f72e64f4f334.filesusr.com/ugd/cdfdba_b1fb443f3f8e41fdb68aaf5856e04980.pdf?index=true
    • https://46c19374-600d-43be-a5f2-d8bf07c6fddf.filesusr.com/ugd/cc94a4_27a742c062ef4b3aab8cbb8eddbb9053.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8e901f58-ea1a-4d5c-bca6-6be52c1492cc/18943564450.pdf
    • https://7c9e9c40-2b96-4f88-8065-b5ff5e495659.filesusr.com/ugd/3bfcae_1617ee0f9e16458197cf778a3aa636ed.pdf?index=true
    • https://uploads.strikinglycdn.com/files/fd2d78ad-67e8-4ba8-be5c-30ac66299b07/95549614730.pdf
    • https://uploads.strikinglycdn.com/files/708f61cd-e10f-4984-b6b9-c7b96317eb04/dymo_letratag_not_printing_top_of_letters.pdf
    • https://e432c3f7-acc0-403b-bc7f-1b8c16782643.filesusr.com/ugd/6a4899_bff4e78f6dc941439014f0fd4d3ef0a4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2ce794b8-8170-4711-9c97-54ce61f08827/20590774936.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f93c.bin
33eceb5ff5d33305585ca45725edd0276a89d20b3027ca790169c3376e809b4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF93C 5220 bytes
font_01_sfnt_off00010ae2.bin
b0ae370cbb565c3ae514a27b162a273e520dedd7c6080e6b8ce346f37b4637f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AE2 13600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.