Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f9a52cd83b7c54b…

MALICIOUS

PDF

345.3 KB Created: 2021-03-19 00:17:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e221935d49cb99ed16dae1d39664fc25 SHA-1: 7e2400d6fa760af4330290c15291c23364c1c527 SHA-256: 4f9a52cd83b7c54b83927916290ebcf496d1853c3c92fd7452a62b2f3a50b883
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains heuristics indicating a payment redirection lure and an external URI pointing to a suspicious domain. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were directly extracted, the presence of an external URL and the nature of the heuristics point towards a phishing or credential harvesting attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9835

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=cambridge+english+empower+b1+pdf+free
    • http://mmamba.ru/vatajuxumujisusot4wrnq.pdf
    • https://bozetefaz.weebly.com/uploads/1/3/4/7/134733050/xefebebikut.pdf
    • https://pujowuvorokom.weebly.com/uploads/1/3/5/3/135347933/1f636e8aba67a78.pdf
    • http://tuzotumefakorok.scienceontheweb.net/english_speaking_course_for_beginners.pdf
    • http://supajukiligado.22web.org/47920750529.pdf
    • https://jigudeganulufis.weebly.com/uploads/1/3/6/0/136054519/xodubovadifirugamagi.pdf
    • http://plusstore.pro/63301004481m8pq0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zobemodorujo.rf.gd/gujozinuzorufukabozolemi.pdf
    • http://femagela.myartsonline.com/pdf_ausfllen_online.pdf
    • http://xowomowipuzu.epizy.com/nexarolebi.pdf
    • https://uploads.strikinglycdn.com/files/8493ef96-120c-448f-89a8-22f72b9c3dda/what_year_is_my_new_home_sewing_machine.pdf
    • http://pewubik.atwebpages.com/nikok.pdf
    • https://uploads.strikinglycdn.com/files/60aa3b89-79a6-4dda-a308-5fea962aae7e/cleaning_kitchenaid_stove_top_grates.pdf
    • https://uploads.strikinglycdn.com/files/157a40ad-4493-403e-9dad-1b3655627b4a/48772987362.pdf
    • https://uploads.strikinglycdn.com/files/ec2d3669-c42a-48fa-b70f-5c46b89aeab7/kenmore_90_series_washing_machine_parts_diagram.pdf
    • http://moxixezegosa.onlinewebshop.net/the_bible_in_arabic_sidney_griffith.pdf
    • https://uploads.strikinglycdn.com/files/85a49bc6-024f-4486-b3fa-84765608fa34/8273169765.pdf
    • http://wabalegawamiraj.rf.gd/93952264926.pdf
    • http://xafekejo.epizy.com/what_does_sahib_mean_in_arabic.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004fcfc.bin
25630b3803d67336d6a29d7d1f74c9e9445303b5a24006c6e8f0d72232c0322f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4FCFC 5644 bytes
font_01_sfnt_off0005100e.bin
5e4da8d13516bb1677cc4b78567e3ec3f29d400bcbf403e215b407195f5ba63c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5100E 14464 bytes
font_02_sfnt_off00053fbb.bin
15b3e1dbb9946b03220896cf0b72fa5e39f337e3e3737d867298db659e05b1f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53FBB 16284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.