Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e95a2b3bd2c449b…

MALICIOUS

PDF

83.7 KB Created: 2021-04-04 18:29:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b65ba7ff78342aa861ffce178ddda7c SHA-1: 72ecd32c504347b5bafc7269d2bae8ad5dd307d0 SHA-256: 6e95a2b3bd2c449b6071eaeb953df903a49b7fae5be583a1b0c24ff5ad350fa4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://pelibifir.ru/aws?utm_term=someone+like+you+ukulele+tutorial', which is likely used to redirect the user to a phishing or malware distribution site. The document body, though heavily obfuscated, suggests a lure related to a 'ukulele tutorial'. No scripts were extracted, but the presence of external URIs and the overall detection profile strongly suggest a phishing or downloader attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/aws?utm_term=someone+like+you+ukulele+tutorial
    • http://magicwoolshop.com/eagle_signal_timer_b856_manuals3jg7.pdf
    • http://epaytds.xyz/73559716963kpl81.pdf
    • https://cdn.sqhk.co/zesunotu/EdjehjG/skyrim_elder_scroll_blood_id.pdf
    • http://nebo-baikala.ru/bose_quietcomfort_25_apple_for_androidfms59.pdf
    • https://cdn.sqhk.co/xumefotebe/e609rha/sync_buzzer_apk.pdf
    • http://casser.xyz/427832490863thoy.pdf
    • https://cdn.sqhk.co/wanaxowuwot/4iiBgdY/weezer_buddy_holly_lyrics.pdf
    • http://natur-green.fun/lewozutaxerawezidhc2k7.pdf
    • https://cdn.sqhk.co/daposofoxig/hhh5ji2/83207571996.pdf
    • https://cdn.sqhk.co/rurufimibiwe/mNIAsgf/nimbus_screenshot_screen_video_recorder_safari.pdf
    • http://myfirstsite.xyz/link_sheets_in_excel_onlinerz23y.pdf
    • http://parhelifrl.space/zedomunakujemo9ukis.pdf
    • http://mignonette.space/begojasavavafekewetemasiivyej.pdf
    • http://lami-lashes.site/jd_edwards_9.2_training_manualybq9u.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://89e1056b-8c01-44a4-bea5-a80a497d444f.filesusr.com/ugd/6db6f7_a3fdca32cad34e3da72cef81a85b3251.pdf?index=true
    • https://s3.amazonaws.com/vekodupiwarobi/micro_rci_2950.pdf
    • https://f37c3615-20b0-4e70-b1e7-2acf34113780.filesusr.com/ugd/1e533a_cc8ef04261d24ed5bbe2bb8ed1deeee5.pdf?index=true
    • https://2a1457bb-a4d2-449b-8914-d784a503a6da.filesusr.com/ugd/c0fca2_5e7a346f315044f1863499ba5ec61e3e.pdf?index=true
    • https://s3.amazonaws.com/forupokisip/handwriting_worksheet_maker_software.pdf
    • https://95c758d6-fd33-43c6-b5d0-f1f55e07e946.filesusr.com/ugd/cb0188_98dcb8b5a2d4441283ee60ca7c421111.pdf?index=true
    • https://s3.amazonaws.com/difigomisosak/dosokunuxojexuxesuwaguk.pdf
    • https://5fdaa9e0-ad6d-443b-8779-beb8e45026dc.filesusr.com/ugd/05301a_096f235ae68b466fbe405231021911a5.pdf?index=true
    • https://s3.amazonaws.com/vapite/navient_private_loan_in_school_deferment_form.pdf
    • https://s3.amazonaws.com/zoluwivebiro/dressmaker_sewing_machine_manual_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010a66.bin
48961f3497929d7f6d06f35f9e3320ae1266025654453fe79cb0ba7740ff3a0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A66 4924 bytes
font_01_sfnt_off00011b15.bin
389f22544806675199f581f3362fe9b0444e69345fa58766bece6b8acfae605c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B15 11012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.