Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b02cf62e1d9b0a7…

MALICIOUS

PDF

84.4 KB Created: 2021-03-18 22:57:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b01b067f1d91bbc6edb11b670b0fc9c7 SHA-1: 48bf3b320ea0dcf4289e5dd9f5f40acb2485dc09 SHA-256: 5b02cf62e1d9b0a7bd89bd640e17fd6f177f237817321a66c4ba3e94a253198d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics and a machine learning classifier as malicious, with ClamAV identifying it as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to host a malicious payload or redirect to a phishing page. The document body, though heavily obfuscated, contains references to 'Lightroom only smart previews' and 'wkhtmltopdf', suggesting a lure related to software or digital assets. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=lightroom+only++smart+previews
    • https://cdn.sqhk.co/mivadunoxo/I178hfk/soluvufi.pdf
    • http://rusadezebep.mygamesonline.org/how_many_chapters_are_in_chronicle_of_a_death_foretold.pdf
    • https://cdn.sqhk.co/jinubodilev/ZGifZJJ/58242701427.pdf
    • https://cdn.sqhk.co/dawiredi/Cc3ifpa/bubble_witch_game_free_for_pc.pdf
    • https://cdn.sqhk.co/dofexoxev/LihBhcT/basketball_live_wallpaper_download.pdf
    • https://cdn.sqhk.co/vudasobije/whclaia/pathala_bhairavi_songs_telugu.pdf
    • http://dubiniba.iblogger.org/8084325629.pdf
    • https://cdn.sqhk.co/mujexoxa/jigji42/manizuluz.pdf
    • https://cdn.sqhk.co/madumubo/iAgelhj/burobadezu.pdf
    • https://cdn.sqhk.co/vewimidipiv/cgjeTgc/world_chef_academy_recensioni.pdf
    • https://cdn.sqhk.co/wixexozesila/chcNjau/download_urban_car_simulator_unlimited_money.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://situwosase.myartsonline.com/kibiribawomufuk.pdf
    • https://uploads.strikinglycdn.com/files/d0a9ef69-7521-4698-935a-80d01376ca19/zivofipebejudovet.pdf
    • https://uploads.strikinglycdn.com/files/02dabd57-0129-4b21-86b7-ff36acc1713b/trevor_noah_book_synopsis.pdf
    • https://uploads.strikinglycdn.com/files/9f7f18a6-afec-401b-8595-73d613e9b69c/75048822758.pdf
    • https://s3.amazonaws.com/wekibik/lightroom_presets_mobile_dng.pdf
    • http://xutenodopo.rf.gd/english_speaking_for_beginners_download_free.pdf
    • https://uploads.strikinglycdn.com/files/45431db3-851a-4800-b64a-91c6a9bff5b8/vobulekinizufeni.pdf
    • http://visugog.myartsonline.com/zaruzaxobi.pdf
    • http://vifulevunox.epizy.com/42676437740.pdf
    • https://s3.amazonaws.com/bitajemisajoz/dagefexoxuwa.pdf
    • https://s3.amazonaws.com/muwomapotumugi/xewuzuja.pdf
    • https://s3.amazonaws.com/wazorixekunafob/lefiwewepuraram.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f849.bin
4a10b9008f78e853c2896d819502c77f44109c575b0b7a93bf8a6911394e2fcb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF849 5428 bytes
font_01_sfnt_off00010ab5.bin
044f3ab9cbc3eab46de7176301ac9979b545a14efd8f23d899bec038a877bbe8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AB5 10516 bytes
font_02_sfnt_off00012ee4.bin
159427b32ed66bfbde86def5e6c2992bde67dfb25400c4000a37c9b59b949b61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EE4 16140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.