Malicious PDF — malware analysis report

Static analysis result for SHA-256 617ba230e348dd32…

MALICIOUS

PDF

80.4 KB Created: 2021-04-17 21:22:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f7d86a66bfe97f0734750eebcc1ec17 SHA-1: 66a8d0f73707189c7fe798c55b282803df819d26 SHA-256: 617ba230e348dd32870f316db50c2094dba3d306e30edd8020408449c8fbe004
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain. ClamAV and an ML classifier flagged this PDF as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, appears to reference a book title, suggesting a social engineering lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/strik?utm_term=el+nombre+del+viento+tercer+libro
    • https://cdn-cms.f-static.net/uploads/4468274/normal_5fea40fbb20c6.pdf
    • https://cdn.sqhk.co/nimuxugemu/xojfhYl/41553798290.pdf
    • https://cdn.sqhk.co/wazilisiko/jjajjNe/knife_sharpening_near_me_ace_hardware.pdf
    • http://biwejobezimije.22web.org/mudifu.pdf
    • https://cdn-cms.f-static.net/uploads/4387424/normal_60264e28cd659.pdf
    • https://cdn.sqhk.co/zogowefu/Fvih9jb/at_t_corporate_flight_attendant.pdf
    • http://lojuxaga.mywebcommunity.org/5364265889.pdf
    • http://jukejed.mypressonline.com/lesoraloxinefupoditid.pdf
    • http://kolagozisil.mywebcommunity.org/python_and_algorithmic_thinking_for_the_complete_beginner.pdf
    • http://pidusejop.medianewsonline.com/marvel_comics_movies_coming_soon.pdf
    • https://cdn.sqhk.co/lawipavoso/jigcyhg/e_bike_rental_nyc.pdf
    • http://kitafoged.medianewsonline.com/11916007300.pdf
    • http://sepozimog.scienceontheweb.net/auguste_comte_biography.pdf
    • http://depusapo.mypressonline.com/banach_algebra_techniques_in_operator_theory.pdf
    • https://cdn.sqhk.co/xovinexesun/djeQeEl/50364101864.pdf
    • https://static.s123-cdn-static.com/uploads/4368471/normal_5fc5b66581d3c.pdf
    • http://tubudemawaxoki.iblogger.org/64560608756.pdf
    • http://gemofesane.medianewsonline.com/58740896231.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://d115d978-d96a-40c8-9764-5d959708fc35.filesusr.com/ugd/436160_5fb6d99b71744f8e89b35727c76def4e.pdf?index=true
    • https://0e627107-309b-4451-a84d-e7064c41fccd.filesusr.com/ugd/04c368_24cce0a4aefe40519634ff3e811ab230.pdf?index=true
    • https://1cbf0fd9-62af-4102-a3dc-982f361539e7.filesusr.com/ugd/bfbc46_c2fcb734638c401182b4b9006c01fe08.pdf?index=true
    • https://6cbe2f5c-748b-4bc6-b691-25a968a47885.filesusr.com/ugd/d6b5da_60a3d806c14141c586fd32b10dd83c24.pdf?index=true
    • http://resifidivef.epizy.com/51750995087.pdf
    • http://tajazeruviv.rf.gd/19054811306.pdf
    • https://8c285b57-3156-47ce-881b-df665acc117b.filesusr.com/ugd/8d46c2_1d4dc1b4937b4f70bbae9f5603be8071.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f9c8.bin
fbb7403eaf2d013eb0bdaa86e272817f9a1856f3f3e6b6179cae477994f16130		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9C8 4852 bytes
font_01_sfnt_off00010a38.bin
6b13f50daefc15dd3bd2ffc415722d5f80a5903772f242d873e3870752511f50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A38 12252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.