Malicious PDF — malware analysis report

Static analysis result for SHA-256 541f05a5667d3226…

MALICIOUS

PDF

70.9 KB Created: 2021-03-22 05:46:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b3b1ef292c2534f900937f868ee9cf33 SHA-1: 7e31dc83fff147e1d7b175da66fccc797f3642fd SHA-256: 541f05a5667d3226dce41f8310a571563dbd8354da530f1867a7410eca2f50ed
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to a suspicious domain, likely used to deliver a phishing lure or download a secondary payload. The presence of PDF-specific heuristics and the nature of the embedded URL suggest an attempt to trick users into clicking through to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=hotmail.com+mobile+app
    • http://vomidujoma.scienceontheweb.net/95354757534.pdf
    • https://munuradon.weebly.com/uploads/1/3/1/8/131859370/dojujuga_wibaruwogub_jekujef_pexopamoze.pdf
    • http://ig-support-service.com/pudaruseluzuwihekdp.pdf
    • https://widosutolitidaf.weebly.com/uploads/1/3/4/8/134847614/dujalutuvega.pdf
    • https://tusululobiwivet.weebly.com/uploads/1/3/1/1/131163859/vixapotigezoti.pdf
    • http://znasila.ru/sword_art_online_alicization_lycoris_character_creation_redditjsa8s.pdf
    • https://bonavipopugob.weebly.com/uploads/1/3/2/3/132302892/bokobug.pdf
    • http://guparob.mywebcommunity.org/atari_2600_adventure_manual.pdf
    • http://bizifemodefi.mygamesonline.org/health_optimizing_physical_education_book.pdf
    • http://sitizinudex.getenjoyment.net/bolopefefowik.pdf
    • http://tokiridevifo.medianewsonline.com/2803001888.pdf
    • http://jukojadijomefar.medianewsonline.com/print_booklet_pages_upside_down.pdf
    • http://leftoutclub.com/google_chrome_portable_apps52gm8.pdf
    • http://funasowuto.getenjoyment.net/cracking_the_sat_by_princeton_review_download.pdf
    • https://talidifixuj.weebly.com/uploads/1/3/5/3/135390844/gugewaretisi-bazedilo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bisiku/salidigelikexaxabewe.pdf
    • http://wemaxoseni.myartsonline.com/cellist_of_sarajevo_full.pdf
    • https://uploads.strikinglycdn.com/files/15c238b0-b4d0-4f44-a9c6-8d02b524b751/how_to_solve_trigonometric_identities.pdf
    • https://s3.amazonaws.com/geraromu/does_xbox_360_live_cost_money.pdf
    • https://uploads.strikinglycdn.com/files/99c8f908-f598-4a99-9ff1-81fce1b184e5/33137302450.pdf
    • https://s3.amazonaws.com/zesotat/71493675564.pdf
    • https://uploads.strikinglycdn.com/files/1b56ff04-c1bc-44ce-a501-6aa10503dfa2/virginia_woolf_on_being_ill_summary.pdf
    • https://s3.amazonaws.com/mefadedosuw/samsung_bypass_google_verify_apk_2019.pdf
    • http://kedisijusa.onlinewebshop.net/waste_king_legend_8000_reset_button.pdf
    • https://uploads.strikinglycdn.com/files/4b7795a1-3576-4fbb-a7e1-848595cd8d3e/wowakerulamawomikonom.pdf
    • https://s3.amazonaws.com/tunenijexe/square_and_cube_roots_worksheet_tes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da9b.bin
dbeb8a02327bd6ba6a6a4f47cafb40d093b2214c736ca6512d20b92389b457a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA9B 4936 bytes
font_01_sfnt_off0000eb51.bin
f9ad6e6f67055d192d9496abd00ab756ef1dcca5107faee14d19eb912ebb577b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB51 10140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.