Malicious PDF — malware analysis report

Static analysis result for SHA-256 63644ca855e3455b…

MALICIOUS

PDF

78.2 KB Created: 2021-03-29 00:22:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 73bbb4840b45a912958ffa56105d9fbd SHA-1: d5b120142f92c0c1b7763be5fa5835a2703e26e3 SHA-256: 63644ca855e3455b42f5457804e38fa353362caf327cd721589d0fe165bb7ef2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier returned a high probability of maliciousness. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing site. The document body, though heavily obfuscated, appears to contain metadata related to the 'An Inspector Calls' film, possibly as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/aws?utm_term=an+inspector+calls+film+bbc+cast
    • https://cdn.sqhk.co/xisofofumew/ieu7gel/zerevaxubevasezaxiwe.pdf
    • http://posebakuxosafod.getenjoyment.net/puvifuxeremuzu.pdf
    • http://avtoshtorki.shop/how_to_recover_traumatic_memories0igiq.pdf
    • https://cdn-cms.f-static.net/uploads/4450504/normal_5fd7ca163940e.pdf
    • https://cdn-cms.f-static.net/uploads/4376874/normal_6021ed513a3e6.pdf
    • http://lorewipa.scienceontheweb.net/spy_thriller_books_free_download.pdf
    • https://cdn.sqhk.co/nivazesoj/jgeEThe/wodozirazanojukopuji.pdf
    • http://dmgameplan.com/bnf_2020_free_download5jirg.pdf
    • http://brumbum3.xyz/the_7_habits_of_highly_effective_families_in_spanish2wz40.pdf
    • https://cdn.sqhk.co/xozifejor/f0hgugd/auto_chess_war_mod_vip.pdf
    • http://form-lnstagramcopyrightservices.com/wufetenirokimuvyglza.pdf
    • http://zitirisiz.mywebcommunity.org/rufowifiwugewipiwoxevi.pdf
    • http://hdsamara.ru/facebook_video_er_free_appl4pat.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sarutufasiko.atwebpages.com/rikuzavife.pdf
    • https://7f03322d-63d6-449b-a8c2-a80beffeb2b6.filesusr.com/ugd/2994dd_ecab0538c2594fa198f4f7d1d2afff7e.pdf?index=true
    • https://9480ebe7-8096-4165-94d5-b35dd525e9f4.filesusr.com/ugd/07b43d_e18eb2cc5b9d41a9801e69fd26fdf42c.pdf?index=true
    • http://ranitirunom.myartsonline.com/research_article_format.pdf
    • https://b7d3a0ae-8059-487b-8826-088776693174.filesusr.com/ugd/8d23e4_2df7950c2ab8466caeb1ebeaa02c2bb4.pdf?index=true
    • https://68f06c25-eb64-4e0a-94e3-a0e33e610147.filesusr.com/ugd/463ace_a942c61843de4006a4ec8af5c3df5058.pdf?index=true
    • https://dd3a609d-fcd9-461e-ae06-f7e9ec6f332d.filesusr.com/ugd/811c3f_3fe3ad70be514f018f51bbfc9cd731c8.pdf?index=true
    • https://f7690f66-1871-4559-97e0-239dee5b15da.filesusr.com/ugd/d2cc1f_cc2c72d4d1a1466ea94298f2bc3bbaf1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f191.bin
eaf27b41526ef1872ea8e5bd9bbc26c62393a8ae058bb8581162e7c78e45a520		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF191 5288 bytes
font_01_sfnt_off00010374.bin
761de6dadd5e1491381eef92a2d7586cb6cbd263299e7b5c140f7659e833ddb5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10374 11716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.