Malicious PDF — malware analysis report

Static analysis result for SHA-256 72ec23ecb481f7aa…

MALICIOUS

PDF

104.7 KB Created: 2021-06-30 23:32:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: ba2a0011f01092e6763400c826adf14f SHA-1: 77ef24281f42a7698f90f05425fb9e4ac00a51b2 SHA-256: 72ec23ecb481f7aad5c56d2069b0b6c1602491b0dc6beda0445d4bbfdcf1686e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample was detected as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains embedded URLs that point to potentially malicious PDF files hosted on various domains, suggesting a phishing or malware distribution campaign. The presence of PDF-specific heuristics further supports its classification as a malicious PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9358

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://amirep.com/wp-content/plugins/super-forms/uploads/php/files/77f6aff9c17843b843ef783a81fc54c6/32714413358.pdf
    • https://mandalaconfeccao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160a7a6389fc90---geminivokitave.pdf
    • http://www.elsecretodelolivo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b36c006a5e---wojoviwaz.pdf
    • http://school19-zav.ru/userfiles/file/28183909521.pdf
    • https://accesoriosalmayor.com/images/userfiles/file/norafutirokuzaxajulika.pdf
    • http://immodraft.nrw/images/architekten_agentur_images_/file/54220695550.pdf
    • https://popcouncilinstitute.org/wp-content/plugins/super-forms/uploads/php/files/e881f0f4881e8e7a52de766842d408c6/ribedivofavenetikeg.pdf
    • http://www.tenniscanberra.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160a095373281e---vetubuxunatomowi.pdf
    • http://onishi-kyosendo.jp/archive/repefod.pdf
    • http://www.colegiometa.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/160a25d3a8dcb8---letezisugijawi.pdf
    • http://randalljroutson.com/clients/44711/File/mudeb.pdf
    • https://pt2-turbo-j3t.com/contents//files/doruwazoso.pdf
    • https://e-lightingcontrols.com/wp-content/plugins/super-forms/uploads/php/files/1d941128494ac6af4d8f9c2ca1fe93e3/26300520529.pdf
    • http://joshuadacosta.com/wp-content/plugins/formcraft/file-upload/server/content/files/160983321160f5---56286962327.pdf
    • https://csn-alliance.com/data/files/zenefimameges.pdf
    • https://bursaceviritercume.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d3d931bb7ec---86444891741.pdf
    • https://quickonboarding.com/wp-content/plugins/super-forms/uploads/php/files/7f15278b4756ba385836f2f08a5cfaca/55889949112.pdf
    • http://boxerdapolenta.com/cmsimple/images/file/52127761059.pdf
    • http://rc-modeller.se/images/file///zajetuw.pdf
    • https://aquaticlandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b5c2539a960---toditonisobobamaponoduje.pdf
    • https://tessuno.com/upload/files/60ce49e63e76c.pdf
    • http://midel.me/userfiles/file/20206143090.pdf
    • https://ferdavagnar.is/images/fck/file/jafematigokezarowalad.pdf
    • https://g-ortho.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16072684036378---80091785903.pdf
    • http://www.festivalmarrakech.info/wp-content/plugins/formcraft/file-upload/server/content/files/160a661a7bf1e1---jupofagejom.pdf
    • http://anonelectronics.com/admin/fckeditor/editor/filemanager/connectors/php/upload_jpg/file/202106292014309103.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=impregnate+meaning+in+english+dictionary
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00017157.bin
a8bc9fe2f2a539ba74c5bddb7d69f1b30cb29e8440bf1649746c780fde0f3fe2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17157 19556 bytes
font_00_sfnt_off0000f9f7.bin
179ece68b747100d02d27318eacd5214b51cc909587656802f919e5d94c0c363		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9F7 23064 bytes
font_01_sfnt_off00013299.bin
43c7ea671ff26c3953f1eec9c7c191d55715cccf12c4b579e4b2656d87da8fc2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13299 11024 bytes
font_02_sfnt_off00014bd0.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14BD0 16792 bytes
font_03_sfnt_off000163dd.bin
a8161c2f5ba9235eb51b4fcc43b6bb219725019365cb8d38f9ec25dfe5ce54ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x163DD 3464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.