Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ceb62ef6221eb05…

MALICIOUS

PDF

221.4 KB Created: 2021-03-23 20:24:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69d5cd3c1d7fab201e1f07ee211d53e0 SHA-1: 730b871763540724fdf523ad49567cae91589b82 SHA-256: 7ceb62ef6221eb05ef94f11ddd6dbeabae2412cc9952215c404295224e079ea3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic indicating an external URI, specifically 'https://zajinet.ru/award?keyword=bhagavad+gita+slokas+pdf'. This URL is presented in a way that suggests it is a search result, likely to trick the user into clicking it. The ML classifier and ClamAV detection further support the malicious nature of this PDF. No scripts were extracted, but the presence of a malicious URL is a strong indicator of a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7783

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=bhagavad+gita+slokas+pdf
    • http://tekplafond.xyz/define_quantum_dot_chemistry743fj.pdf
    • http://goromeo.club/33142497269srr93.pdf
    • http://nuveclovet.xyz/how_do_i_get_my_nespresso_vertuo_out_of_descaling_modeqbedj.pdf
    • https://cdn.sqhk.co/jigitovewuk/igjE8W9/shadowlands_alchemy_trinket.pdf
    • http://boevoenlp.com/iraga_iraga_dj_mix_audio_songavz23.pdf
    • http://storezone.info/86946642321kebb4.pdf
    • http://razvivatel.blog/998380034793p8ys.pdf
    • http://reliables.ru/jenis_penelitian_menurut_metodeqp79e.pdf
    • https://cdn.sqhk.co/xazewizol/zZYNhej/business_operations_manager_resume_examples.pdf
    • http://tryadasert.online/ironhead_workshop_manualbz5ia.pdf
    • https://cdn.sqhk.co/wareberefiz/DZujjhn/40158996594.pdf
    • https://cdn.sqhk.co/xukonobos/jhp6xcb/black_plus_size_formal_party_dresses.pdf
    • http://closemaze.com/carl_sagan_pale_blue_dot_image7usl2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • http://romezegipoxo.epizy.com/tapexesib.pdf
    • https://s3.amazonaws.com/gedesisumi/silitusewaluzibuxisekinu.pdf
    • https://uploads.strikinglycdn.com/files/9d63fb4d-403e-4b04-b3ad-1dd2d090862b/worx_wg309_2-in-1_chainsaw.pdf
    • https://uploads.strikinglycdn.com/files/b6a4e8f9-a5d3-4028-8961-f6a6742714a0/dyson_mini_motorhead_review.pdf
    • http://jokilezitewoj.epizy.com/19013690461.pdf
    • https://s3.amazonaws.com/pisedij/67253226809.pdf
    • http://tuvugagud.epizy.com/capitale_du_monde.pdf
    • https://uploads.strikinglycdn.com/files/3355944d-af7a-4de1-83ef-ac1266fd1253/honda_4514_engine.pdf
    • http://sivumokevidosib.rf.gd/82005915414.pdf
    • http://meduzifovum.epizy.com/jalawixezisotoj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002f65d.bin
6d16341119023779c3a00ee6dcbf419da622640bd59035794f98560d99db4cf9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F65D 4944 bytes
font_01_sfnt_off00030742.bin
7e920e56b2d69ad0a34c795437496448bdbf67ad0deb23e21458005eebd3eae5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30742 3740 bytes
font_02_sfnt_off000312b9.bin
e4b2d812c3dc684ba14272553f7bd6ebae93c75bfcc2f02d3fc2939fddc660fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x312B9 15804 bytes
font_03_sfnt_off000340e2.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x340E2 4324 bytes
font_04_sfnt_off00034ee2.bin
905ad122ce811915830e621d8929f6654eaf312976c25570239ce50d76296ad3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34EE2 6672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.