Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ce6e7fdfad8ecf1…

MALICIOUS

PDF

116.1 KB Created: 2021-03-15 21:24:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c98c31611e490dd9e21e9529af5df356 SHA-1: dc72e2f86e596c894b15b1540ed3d584ff946a14 SHA-256: 4ce6e7fdfad8ecf1fa1b4bfabd0df497025c3ff4d9dc503f0cb4be14f633aa96
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a malicious domain. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URL likely serves as a lure to download a secondary payload or redirect the user to a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=centos+6+single+user+mode+lvm
    • http://dusexixegiseves.iblogger.org/batman_begins_movie_in_telugu.pdf
    • https://static.s123-cdn-static.com/uploads/4409258/normal_5ffbd6fd1620e.pdf
    • https://static.s123-cdn-static.com/uploads/4369665/normal_5fdf39d28facf.pdf
    • http://fejugutafilevin.scienceontheweb.net/tififepirukifinetomokomel.pdf
    • http://liwitesuzemumex.sportsontheweb.net/herman_miller_aeron_chair_size_b_dimensions.pdf
    • https://cdn-cms.f-static.net/uploads/4382407/normal_604945c64fe54.pdf
    • http://najetaxu.mygamesonline.org/gimanalowojerowemo.pdf
    • http://bewujasixi.mywebcommunity.org/mass_effect_andromeda_official_strategy_guide.pdf
    • https://cdn-cms.f-static.net/uploads/4455185/normal_5fdb765404905.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/768e13f7-5ce8-47da-b178-9bc872b416e7/how_to_apply_for_a_nike_sponsorship.pdf
    • http://moxixezegosa.onlinewebshop.net/giketurifiretesusosil.pdf
    • https://uploads.strikinglycdn.com/files/2737732e-ccaa-4ddf-805f-9da35bd6391d/pretty_little_liars_netflix_2020.pdf
    • http://lujevetanulo.epizy.com/30995978707.pdf
    • http://vulixinezewal.rf.gd/gujemobumabopisi.pdf
    • http://dowuvoduwitovos.atwebpages.com/9576226023.pdf
    • http://nubibubimalepik.atwebpages.com/zipemewise.pdf
    • http://kuwexugebukutim.rf.gd/runes_of_magic_druid_warden_guide.pdf
    • https://3d7304b5-8527-495f-b913-615d6f357a43.filesusr.com/ugd/ef7486_4611fe03a5294bd89eb4591c27f480df.pdf?index=true
    • https://72858ab8-d36f-4bc2-b208-e5ec56e76d01.filesusr.com/ugd/3a4e0e_295f252aabe24e46b82d8d897e60f8b9.pdf?index=true
    • http://megigezorozo.atwebpages.com/problems_with_wildgame_innovations_trail_cameras.pdf
    • http://vigexosav.myartsonline.com/tarascon_pocket_pharmacopoeia_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017951.bin
d05fc679a43791347e042e1a727e7af58bac083e04283bace5a696658318b42c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17951 5052 bytes
font_01_sfnt_off00018a6c.bin
43f863c29532364c7b74f58e9c58706d6cad951e06de23fafadb9972ede159b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18A6C 12404 bytes
font_02_sfnt_off0001b4ae.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B4AE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.