Malicious PDF — malware analysis report

Static analysis result for SHA-256 7bcc31f06744167e…

MALICIOUS

PDF

77.3 KB Created: 2021-03-22 00:26:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bd0fd500ab8e165e0112f12f42d65b31 SHA-1: 1eac5d9e4accadd3d2f773ee86ff27b3a684ea90 SHA-256: 7bcc31f06744167e989528a140cc52c56449f5f4e61250a6bea88af60cbc1021
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, suggesting it's designed to redirect users to a potentially harmful website. The document body, though heavily obfuscated, contains metadata related to its creation, which does not provide further insight into its specific function beyond the presence of the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=cat+paw+cartoon+free
    • http://lenulari.mypressonline.com/85854134417.pdf
    • https://cdn.sqhk.co/nudizodi/bVidM5Q/arduino_processing_ide.pdf
    • https://cdn.sqhk.co/zatejurix/3hhtrce/67324314657.pdf
    • http://dapisamifo.22web.org/75546124168.pdf
    • https://cdn-cms.f-static.net/uploads/4471988/normal_60493fc660c03.pdf
    • http://kulokozataxat.22web.org/39751024261.pdf
    • https://static.s123-cdn-static.com/uploads/4367922/normal_5fedf582bd4cd.pdf
    • http://vabuletarikinil.iblogger.org/what_is_blood_test_crp.pdf
    • http://vibolofisef.mywebcommunity.org/sheridan_blue_streak_rebuild_kit.pdf
    • https://static.s123-cdn-static.com/uploads/4381320/normal_5fe29a044631c.pdf
    • https://cdn.sqhk.co/mopewedote/ej4Bgf8/marble_ball_3d_adventure.pdf
    • https://cdn.sqhk.co/xepubijiko/0mShQuy/gikezigikisefize.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://5c839259-519f-4cee-a1a2-6639d654070b.filesusr.com/ugd/140efa_71c03c12aa7d4fdc9a0b94e36da0e74c.pdf?index=true
    • http://tobekiginekafo.epizy.com/devenepufigega.pdf
    • http://fonenutekosut.epizy.com/vuxej.pdf
    • http://kititone.epizy.com/bowditch_espaol.pdf
    • https://1c8fadd7-09eb-4d2b-9d42-8e747ba5ce52.filesusr.com/ugd/60625b_6d0b797eaabb49fc9d60ca471fbe3889.pdf?index=true
    • http://fazatela.myartsonline.com/diversity_of_vascular_plants.pdf
    • https://ef4b221f-cfb4-47e8-bf1d-3b5092770df7.filesusr.com/ugd/4948da_a851392775034e9492112c4424d3f6f1.pdf?index=true
    • http://zopefunexot.epizy.com/video_player_apk.pdf
    • https://cb2d4818-2134-4ea5-ae57-1bc45cfc4292.filesusr.com/ugd/7e787c_0d9e1f585a42404782da468517407d45.pdf?index=true
    • http://wobadumiravolu.atwebpages.com/oxford_phonics_world_5_free_download.pdf
    • https://42172c5f-463d-425f-bc49-3536d5e9b788.filesusr.com/ugd/3e9aab_a10065103dbd44d4b722a897d5e0082c.pdf?index=true
    • http://muwalolerede.epizy.com/felesazig.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef75.bin
05da2473b50f81a678a00d76e383a8eb5a2f3d708b7043dca57e0fef5fed19a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF75 4796 bytes
font_01_sfnt_off0000ffe7.bin
905047cddbd667ea3455d46c6f34d43106bc47d80d598ebe7d1ba853173ee869		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFE7 11656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.