Malicious PDF — malware analysis report

Static analysis result for SHA-256 727d1b79a920ada2…

MALICIOUS

PDF

103.7 KB Created: 2021-04-11 03:09:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 57071f4a131ce7cbe3209dc3b93cdf9d SHA-1: 29fb18f93b9fef8f3b2052c93d0b2655662b561b SHA-256: 727d1b79a920ada21b7da2e18bd995fa0db9d2e9164c407eb225aa58a1ced2d1
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document flagged by multiple high-confidence heuristics as malicious, including an ML classifier and ClamAV detection. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' indicates the document's content is designed to deceive users with promises of prizes or funds, a common phishing tactic. The embedded URL, https://vilenefex.ru/strik?utm_term=what+does+the+wps+button+on+my+comcast+router+do, is likely the primary vector for delivering the malicious payload or leading to a phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/strik?utm_term=what+does+the+wps+button+on+my+comcast+router+do
    • https://cdn.sqhk.co/vuxevabuvix/iaijjbM/planet_fitness_book_appointment.pdf
    • https://cdn.sqhk.co/rawavuzom/ia5Tkie/padasidaronujegabisid.pdf
    • https://cdn.sqhk.co/xenivoronizu/jgpUgAC/xiruvafebotigekon.pdf
    • https://cdn.sqhk.co/wuladupuzo/jhfhigd/aadukalam_full_movie_video.pdf
    • https://cdn-cms.f-static.net/uploads/4386597/normal_60635c0387f1e.pdf
    • http://ilkertr.shop/63139561738nh8jf.pdf
    • https://cdn.sqhk.co/kowaziwaso/WhatXyh/bepif.pdf
    • https://cdn.sqhk.co/budajawisore/oHieigJ/skyward_login_ocps.pdf
    • https://cdn-cms.f-static.net/uploads/4379732/normal_604464e346bc2.pdf
    • https://cdn.sqhk.co/fikubife/AtghOgF/tumizakomanupukazedozitem.pdf
    • https://cdn.sqhk.co/povewepalu/gijjbhh/blood_pressure_by_age_2020.pdf
    • https://cdn.sqhk.co/vuvupewog/ihrhbge/zatazovifebovigize.pdf
    • http://fullstacket.online/tazumqn5xp.pdf
    • http://zespodsvetkoy.site/713446906826u3wj.pdf
    • http://mamontov-net.cc/moruvuwadajawipukuhbw8f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/cacfd3db-61f9-42c7-ac91-59268c865254/delonghi_lattissima_one_milk_frother_not_working.pdf
    • https://uploads.strikinglycdn.com/files/d69bc397-afff-485d-a804-9ea92a9604d6/baxefupija.pdf
    • https://uploads.strikinglycdn.com/files/1467741d-c0be-45d1-9273-c4e2bddc77d8/stanley_fatmax_spotlight_usb_charger.pdf
    • https://uploads.strikinglycdn.com/files/e073e210-2046-40d5-b3fc-bbb19e63e225/43565635177.pdf
    • https://s3.amazonaws.com/fosawef/amalia_rodrigues_album.pdf
    • https://s3.amazonaws.com/tubukeganuji/benjamin_button_imdb_parents_guide.pdf
    • https://s3.amazonaws.com/pukaridimupo/machine_learning_engineer_resume_sample.pdf
    • https://uploads.strikinglycdn.com/files/3082b3b3-4638-47f0-8456-b3a4cba72eee/2016_toyota_corolla_s_for_sale_by_owner.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001563d.bin
6674b1b9a5f291a2a952a2b124d8bc1cf3399edfcf01f21e01228ca46340ba7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1563D 5628 bytes
font_01_sfnt_off00016951.bin
f9854bf399c388734c80729484ae06a96377ed88fb68aac22ce137ce71591a0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16951 11724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.