Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b53776854503373…

MALICIOUS

PDF

77.3 KB Created: 2021-03-30 19:40:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b391165b755d1801aaf99e3765a5673a SHA-1: 6b6b1871250ece6fcfca0994a480c485d6e69c21 SHA-256: 7b5377685450337357497e778685267c3a995350d223a2e9c2e3dff420409aaa
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI that redirects to a URL designed to mimic a search result for a specific product, likely a phishing lure. The ML classifier and ClamAV detection strongly indicate malicious intent. No scripts were extracted, but the presence of external URIs and the document's structure suggest it's intended to lead the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=fisher+price+garage+1987
    • http://ragadugizidej.22web.org/64867755032.pdf
    • https://cdn-cms.f-static.net/uploads/4485572/normal_601afc8e6cd9a.pdf
    • https://cdn-cms.f-static.net/uploads/4392854/normal_602a7b8917026.pdf
    • http://jijimaxugixu.22web.org/junior_scholastic_answer_key.pdf
    • http://kisapokabawexew.22web.org/tigosudosevetidagezugin.pdf
    • https://cdn-cms.f-static.net/uploads/4379471/normal_6049d0201070c.pdf
    • http://bevibopo.22web.org/self_healing_concrete_seminar_report_and_ppt.pdf
    • https://static.s123-cdn-static.com/uploads/4459054/normal_6003c63e4cf4b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://xixakopero.epizy.com/hp_officejet_2620_ink_cartridge.pdf
    • https://uploads.strikinglycdn.com/files/fecc78eb-1009-44a0-8e64-14a0fe5e1867/tuvudowebidagusomarivodap.pdf
    • https://uploads.strikinglycdn.com/files/da00b3c6-827a-49fb-ba79-441aef2e667b/dell_precision_3520_battery_price.pdf
    • https://uploads.strikinglycdn.com/files/072bcd09-f329-4676-bae1-4cd83141b67f/2_step_inequality_word_problem_examples.pdf
    • https://uploads.strikinglycdn.com/files/c7797848-3e5a-47de-aed8-17942c27415a/rusuzalakewetisokeka.pdf
    • https://uploads.strikinglycdn.com/files/61bf9011-32fc-4769-b5ce-aa83e2fde87b/sonotofazozixikepuwu.pdf
    • https://uploads.strikinglycdn.com/files/67d79291-f62f-4580-8151-8549adfe82d4/who_builds_craftsman_snowblowers.pdf
    • http://benapubusepem.rf.gd/tell_me_about_yourself_example_interview_answer.pdf
    • https://uploads.strikinglycdn.com/files/b320327c-f84a-44b3-9f40-91cc871e2341/nolawofegexelabives.pdf
    • http://rupufunolodul.rf.gd/lenticular_lens_sheet_in_chennai.pdf
    • https://uploads.strikinglycdn.com/files/38706dcd-f8e7-4f88-8c09-f696b7786db4/51675935037.pdf
    • https://uploads.strikinglycdn.com/files/3cdc471d-b3ef-4684-87ea-b0fdc7d9b0c0/cuantos_metros_tiene_un_kilo_de_alambre_recocido_calibre_16.pdf
    • http://vukelas.rf.gd/guide_du_routard_cambodge.pdf
    • https://uploads.strikinglycdn.com/files/daad798a-093a-48e7-a387-2acf4558ed27/47193614607.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1fb.bin
5443221fbca0dea2751388da1bea2bead6a41319707e7edac6e1214841879bc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1FB 5092 bytes
font_01_sfnt_off0000f359.bin
bef5b62cc2cd4bf122702a46e490c5d30d422d140e45213a7c406589fbb81350		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF359 11232 bytes
font_02_sfnt_off000119cb.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119CB 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.