Malicious PDF — malware analysis report

Static analysis result for SHA-256 7736b0e9666ea72d…

MALICIOUS

PDF

73.2 KB Created: 2021-03-23 13:50:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5aa512deece04e6282a01fbe3a1fc11 SHA-1: 9c9342b761a55db2edab618264923b526772a784 SHA-256: 7736b0e9666ea72dd5db84eea0c97a518e535b3bafd258b063960b14254142f8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains multiple embedded URLs, with the primary one being 'https://jumiwimov.ru/strik?utm_term=computer+network+troubleshooting+pdf', suggesting a phishing or malware distribution lure disguised as a troubleshooting guide. Although no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a malicious document designed to trick users into downloading further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=computer+network+troubleshooting+pdf
    • http://subonus.ru/pencil_drawings_for_beginners_easyllfth.pdf
    • http://zhigina.ru/pmi_pmbok_guide_6th_edition_2018seoan.pdf
    • http://trenketo.buzz/blue_otter_netherland_dwarf0kbwf.pdf
    • http://wow50.pro/34218090704ryrtq.pdf
    • http://parhelifrl.space/badger_5_plus_garbage_disposal_manualekc5b.pdf
    • http://classicalnaturally.com/fepudegof15kdz.pdf
    • http://ig-mediateam.net/5201766316b3isp.pdf
    • http://uber-global.com/actiontec_mi424wr_rev_i_dd_wrt_firmwarebmla1.pdf
    • http://ooovseanalizi.ru/directv_genie_mini_network_connection_not_foundyzn1a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/85e9699b-6df8-4fe3-a585-eedd8ae5c039/19146176809.pdf
    • https://uploads.strikinglycdn.com/files/888dc673-7824-4133-a5d5-04a3fe19d21e/how_old_do_you_need_to_be_to_get_your_drivers_license_in_arkansas.pdf
    • https://uploads.strikinglycdn.com/files/215a342c-02e2-4a1c-9495-4c9799efb3e9/what_are_the_types_of_country_music.pdf
    • https://uploads.strikinglycdn.com/files/2beace0a-0452-41d9-be51-0da74c956d00/wolf_of_wall_street_full_movie_watch_online_dailymotion.pdf
    • https://uploads.strikinglycdn.com/files/541d7a3f-734a-4017-9728-d7f8cc09c840/dlink_dns_323_driver_for_windows_10.pdf
    • https://uploads.strikinglycdn.com/files/b46e5fc4-d116-4a57-8cd9-7dd01d9bfa0a/ertugrul_ghazi_ibn_arabi_real_name.pdf
    • https://uploads.strikinglycdn.com/files/559c7f7c-5749-40df-b7e6-787d7b105012/24651206317.pdf
    • https://uploads.strikinglycdn.com/files/f4e08d9b-8f2a-4c28-b560-79ee1eb428f2/how_to_reset_a_xfinity_cable_box.pdf
    • https://uploads.strikinglycdn.com/files/586cc2df-7755-48df-935d-81ce4e3c1c3e/74764060994.pdf
    • https://uploads.strikinglycdn.com/files/75cb9795-2cb4-4766-b69d-fe1c809363e0/stein_on_writing.pdf
    • https://uploads.strikinglycdn.com/files/a3c6f328-42d7-431c-bf51-e5dee8316a3b/20091962072.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2cc.bin
2f6c0f3119672ad4c8917001b9409fc190cb8c0af58b6edb3b9107f6fff08dd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2CC 5444 bytes
font_01_sfnt_off0000f534.bin
6e3562521a1ec005d00a41dc9179d9c9241a28879e55317ea46fcf892a49ec0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF534 10020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.