Malicious PDF — malware analysis report

Static analysis result for SHA-256 63b6d725b07b901a…

MALICIOUS

PDF

556.8 KB Created: 2021-03-14 17:31:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 658818566fcd7810765406c13fdf77b9 SHA-1: 3fc2c75fef1d958f7d2ede45e2ee73954ebead78 SHA-256: 63b6d725b07b901acad2a39e35b899171c5d3f6c0805e3f8dab5c195ac303b8b
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple embedded URLs, one of which is associated with a phishing detection. The document body, though heavily obfuscated, suggests a lure related to 'density of saltwater'. The presence of external URIs and the ClamAV detection strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0041

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=how+to+work+out+density+of+saltwater PDF link annotation
    • http://bukobaxaz.getenjoyment.net/how_to_solve_puzzle_reasoning_in_hindi.pdfIn PDF document text
    • http://pusosokus.iblogger.org/74152629405.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4449009/normal_60294e210a697.pdfIn PDF document text
    • http://1yamal.space/pequeo_combo_crucigrama_de_gnero_dgb56p.pdfIn PDF document text
    • http://ch-redirect.icu/77930517772f72e7.pdfIn PDF document text
    • http://zivepixafusav.22web.org/android_games_online_play_free.pdfIn PDF document text
    • http://instgrmmverifiedbadge.com/bluest_eye_summer_summaryp1d4d.pdfIn PDF document text
    • http://majovevalaji.sportsontheweb.net/am_mad_quotes.pdfIn PDF document text
    • http://liberum.sportsontheweb.net/a_single_man_movie.pdfIn PDF document text
    • http://lotupojaxuvutix.mygamesonline.org/salonosetuxivom.pdfIn PDF document text
    • http://meetchat.space/riptide_gp2_cheatswj9t7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4500887/normal_603a7ea08a23a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://litopuputorer.rf.gd/14627401744.pdfIn PDF document text
    • http://kijolitenelofon.epizy.com/thomas_calculus_instructors_solutions_manual.pdfIn PDF document text
    • http://pusudusak.rf.gd/noble_collection_harry_potter_mystery_wand_series_2.pdfIn PDF document text
    • http://gavuzolu.epizy.com/customer_journey_map_ppt_template_free.pdfIn PDF document text
    • http://mugazukadum.onlinewebshop.net/what_personality_types_are_compatible.pdfIn PDF document text
    • http://didazejitikav.rf.gd/63493702721.pdfIn PDF document text
    • http://dizojid.rf.gd/xufoviwetudoveku.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d9ee5f51-1e93-4d96-a523-2d4ce7c58cd0/12497591321.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a94d3010-8a1b-4631-9435-4bbd591a15fe/kelikebeduri.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/05e10b29-b19d-401b-927b-d300ec849c40/48010291144.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/be9a19f5-d3df-4afd-acd3-5f287d0a8ab9/nordictrack_c900i_3.0_chp_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/41523efc-a6bb-4dcf-9ddb-d31fbc629500/ar_blue_clean_143_review.pdfIn PDF document text
    • http://bejopirobi.epizy.com/workday_brown_forman.pdfIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0008399b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8399B 6384 bytes
SHA-256: e816f2c564f2bbd11707961c6ae9cb19adfa71c373602b31321d8ba4ae07f816
font_01_sfnt_off00084922.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x84922 2900 bytes
SHA-256: b3dfb2f2c41da7350fc3755141d2fd0ea5796bb125df25fec831093623ff73df
font_02_sfnt_off0008536e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8536E 5120 bytes
SHA-256: 6f538819183b534f86d0806097a218878b1e0298becf3cfe513f7ce43a0cbad5
font_03_sfnt_off00086509.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x86509 14288 bytes
SHA-256: 5f0970dd142f4094b27a23672ea8abce11883b4b8d53711bba993333af6f0f50
font_04_sfnt_off00089570.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x89570 16060 bytes
SHA-256: 713933360072c9d59346590fad668f98c3603c6d2b72ed941ce85481f6af0b74