Malicious PDF — malware analysis report

Static analysis result for SHA-256 698096d7f0d27d18…

MALICIOUS

PDF

77.0 KB Created: 2021-03-18 02:37:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9318cee4346f596e19553058897a3709 SHA-1: 54f7f9a14d9d485266546ddbc62d72fe0baed71c SHA-256: 698096d7f0d27d1893c01897648e080070627e2d2441e4659a3c356b581d5f5b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document body, though heavily obfuscated, contains text related to 'Guitar hero 3 bonus songs', suggesting a lure for a phishing or scam campaign. An external URI, https://pelibifir.ru/wix?keyword=guitar+hero+3+bonus+songs, was extracted, which is likely the destination for the phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=guitar+hero+3+bonus+songs
    • https://cdn.sqhk.co/lupobikud/cjxgc6k/business_manager_salary_nyc.pdf
    • https://cdn.sqhk.co/fekesolip/feDgcY1/18653992154.pdf
    • https://cdn-cms.f-static.net/uploads/4418783/normal_60135c2540bdf.pdf
    • https://static.s123-cdn-static.com/uploads/4404488/normal_5fc657257f036.pdf
    • http://bagadiwep.22web.org/librecad_review_2018.pdf
    • https://static.s123-cdn-static.com/uploads/4479441/normal_60097933a18f4.pdf
    • https://static.s123-cdn-static.com/uploads/4502721/normal_5fc9aa275d1b7.pdf
    • http://jalimojaben.iblogger.org/anganwadi_application_form_download.pdf
    • http://lnstagram-blue-ticks.com/948078458081byz4.pdf
    • http://rebelliona.online/how_to_get_management_skills_boost_pes_2020egvmk.pdf
    • https://cdn.sqhk.co/domuduxuro/4hbdhbj/97739886026.pdf
    • https://cdn-cms.f-static.net/uploads/4413567/normal_5fd94ab915fba.pdf
    • http://flash-sar.online/first_of_the_microbe_hunters14hww.pdf
    • https://cdn.sqhk.co/tibatojo/Qahgfct/best_photo_transfer_app_for_android_to_pc.pdf
    • https://cdn-cms.f-static.net/uploads/4419818/normal_600d481b5f5ba.pdf
    • http://itawegan.space/down_to_the_river_to_pray_chords_ey3jun.pdf
    • http://gujufifirisin.22web.org/spc_chart_templates_free.pdf
    • https://cdn.sqhk.co/pafevola/okgfhbl/rawaxanu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/81daa19a-b758-4218-a2d6-8bf8d4bd9612/zaributesipavizixifokixo.pdf
    • http://fabosiregoz.rf.gd/certificado_medico_de_defuncion_bolivia.pdf
    • http://sobogelutox.epizy.com/abstracting_and_indexing.pdf
    • https://uploads.strikinglycdn.com/files/e0847b01-fbd2-4e3d-9197-56f9df4ea718/brother_mfc-7860dw_wireless_setup_mac.pdf
    • https://uploads.strikinglycdn.com/files/4d518e49-c816-4cf9-b489-c15122520603/hp_deskjet_6540_driver_for_windows_10.pdf
    • https://uploads.strikinglycdn.com/files/af289446-8c77-4066-a3e1-e9d3c3dcb521/fodobal.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f031.bin
3c97c8a37cbb6ec18edb42a7c044b652bda582925048519bdb73ce12b49c0350		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF031 5248 bytes
font_01_sfnt_off00010208.bin
d8b9f23655979acc9ea5ff0dd745335966719b95b38ada4e75324ee0d06c99ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10208 10576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.