Malicious PDF — malware analysis report

Static analysis result for SHA-256 696f7a63b9940cf0…

MALICIOUS

PDF

73.9 KB Created: 2021-02-15 20:12:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8623a1d4516a6bf4012bab3af6709c54 SHA-1: be3ff4fa7847e332cde4e3a28b359f7151100c8b SHA-256: 696f7a63b9940cf0b7060c3480397627c621bbfd19888536de4d17064929772a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF with high confidence. The document body is heavily obfuscated, but the presence of the external URI suggests an attempt to redirect the user to a malicious site, likely for phishing or to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=starved+rock+waterfall+map
    • https://static.s123-cdn-static.com/uploads/4376629/normal_5fce90bf9dce8.pdf
    • https://cdn-cms.f-static.net/uploads/4468289/normal_601ab8ff133ec.pdf
    • https://static.s123-cdn-static.com/uploads/4455198/normal_5feb72273f8aa.pdf
    • https://pukakiliratof.weebly.com/uploads/1/3/4/7/134768090/ludolazobapibi.pdf
    • http://rigovutamejebum.iblogger.org/lakers_bleacher_report_news.pdf
    • http://kokusurajiguz.22web.org/isc2_sscp_study_guide.pdf
    • https://rixukiwifezi.weebly.com/uploads/1/3/5/3/135392959/podevotud-femilizux.pdf
    • https://gunisuzafi.weebly.com/uploads/1/3/4/3/134311694/gukarufulumupoxopa.pdf
    • https://zixaderal.weebly.com/uploads/1/3/0/9/130969504/430e15c.pdf
    • https://pizeposinejuxow.weebly.com/uploads/1/3/2/6/132695365/wujosof_lebamirufebivux_jujoteguvuve.pdf
    • https://cdn.sqhk.co/xasakeza/jbjjrhh/free_online_slot_tournaments_win_real_money.pdf
    • https://buranujepexu.weebly.com/uploads/1/3/4/3/134339299/1001158.pdf
    • https://gijesilikisuzid.weebly.com/uploads/1/3/2/6/132683000/deperixux.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4f9.bin
23f5ed77a912914bae02ed278144a5ef1f079a154f6a17a006fe476dc511b1e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4F9 5440 bytes
font_01_sfnt_off0000f787.bin
f42f8a7cbd18af13f56e761c60c218bc2e9b76bc48b0591843a558bf03b383df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF787 10240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.