Malicious PDF — malware analysis report

Static analysis result for SHA-256 64437e9cce333ec7…

MALICIOUS

PDF

82.7 KB Created: 2021-03-22 02:09:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 323bb5033a7138feb9cac5575daae683 SHA-1: b22403a8a642dd223ed71bc263501474f5c3df79 SHA-256: 64437e9cce333ec7da61c0e3b52947054b7388cb0f44cf09dccbd1c96d859493
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely part of the phishing lure. The document body is heavily obfuscated, suggesting an attempt to hide malicious content or redirect the user.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=larry+sinclair+bio
    • https://static.s123-cdn-static.com/uploads/4444875/normal_5ff5d6ed1883e.pdf
    • http://dusanaputojinon.mygamesonline.org/security_analysis_and_portfolio_management_slideshare.pdf
    • http://novubelugalij.medianewsonline.com/gedirisakegaka.pdf
    • https://cdn-cms.f-static.net/uploads/4460251/normal_5fd314e1e7b07.pdf
    • http://gazozaxuk.getenjoyment.net/pendidikan_agama_islam_kelas_x_kurikulum_2020.pdf
    • http://devivitonewe.sportsontheweb.net/29148298617.pdf
    • https://static.s123-cdn-static.com/uploads/4470232/normal_5ffd620aad6db.pdf
    • https://cdn-cms.f-static.net/uploads/4486045/normal_6015e33c199ef.pdf
    • https://static.s123-cdn-static.com/uploads/4380705/normal_5fcaaefa45273.pdf
    • http://jaralet.getenjoyment.net/watchman_nee_wikipedia_indonesia.pdf
    • http://banademebilite.sportsontheweb.net/sex_and_the_city_alternate_series_finale_endings.pdf
    • https://cdn.sqhk.co/rapovixovuti/Mgc8t6R/batabepedosod.pdf
    • https://cdn.sqhk.co/gituridewo/hCtjfx8/tool_kit_for_car.pdf
    • http://zaxevef.getenjoyment.net/jumpsuits_and_rompers_plus_size.pdf
    • https://cdn.sqhk.co/goxobuve/gU7wptP/hill_climb_racing_2_games_online.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8ca778b0-5fc9-49f7-9a13-905d2e763260/27248936345.pdf
    • https://uploads.strikinglycdn.com/files/23ec6ff2-94db-461c-9b27-615254ec134d/bulubameduvogipepatatutu.pdf
    • https://uploads.strikinglycdn.com/files/280c5387-a2d1-41ed-9d77-331052b14503/pejoduwoz.pdf
    • http://gevejonitu.onlinewebshop.net/51214264823.pdf
    • https://uploads.strikinglycdn.com/files/1ae165f7-45dd-4139-ad0d-7115f4b8be1b/where_is_craigh_na_dun.pdf
    • http://xiwexuxe.atwebpages.com/fasanikujaburakadivafofob.pdf
    • https://uploads.strikinglycdn.com/files/b646966b-70cd-4f0b-a78f-f43c4517423e/baxaragasor.pdf
    • https://uploads.strikinglycdn.com/files/13a6a63f-2842-4d99-b3e5-beb8190ad033/focusrite_scarlett_2i2_2nd_gen_review.pdf
    • https://uploads.strikinglycdn.com/files/0e98e116-e13a-4ce9-805d-4fc6ef0fc08a/the_end_of_the_f_world_soundtrack_list_season_2.pdf
    • https://uploads.strikinglycdn.com/files/1b137bbc-fc98-4f19-9402-a883c60b12da/35149272278.pdf
    • https://uploads.strikinglycdn.com/files/2ee52b2a-4249-41e8-b06f-a4bd2c28a0dd/how_many_carbs_are_in_a_taco_bell_taco_supreme.pdf
    • http://mukanebesiva.atwebpages.com/meratolo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010444.bin
4df70bb3a9fd9e8493404dfbb5192e4fe49db4f679106f161aa2d7b2cb48f900		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10444 4976 bytes
font_01_sfnt_off0001154a.bin
a57f39144a255b09878b6052ab871478c6320ad3e2eb4f7d67c79deb6504cfef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1154A 11448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.