Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e72ed6c662672e0…

MALICIOUS

PDF

79.8 KB Created: 2021-03-28 11:30:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4e1845bf78a4d6514ff162263a2253c7 SHA-1: 766f83698474ee214db6cd270be9e16292c87d5a SHA-256: 7e72ed6c662672e0774e8e1313f987a764422108e7cc6fb5e7a9dca502d8a678
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to 'https://leonvi.ru/wix?keyword=fallout+guide+pdf', which is the primary indicator of malicious intent. The document body, though heavily obfuscated, suggests a lure related to a 'Fallout guide pdf'. No scripts were extracted, but the presence of an external URI strongly suggests a phishing or scam campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=fallout+guide+pdf
    • https://xozavefo.weebly.com/uploads/1/3/4/0/134018900/vopamiseku.pdf
    • http://introdom.ru/celebi_quest_guide_pokemon_gold1nsz3.pdf
    • http://tokio-2020.fun/wosomop93f81.pdf
    • http://rujisuki.mygamesonline.org/82512898357.pdf
    • http://xagevogewa.medianewsonline.com/43469603011.pdf
    • http://gramnews.xyz/94656190677r3z78.pdf
    • http://rubeatyshop.xyz/cadence_allegro_16._6g1v91.pdf
    • http://vuzetasavuxoso.mygamesonline.org/agile_software_development_principles_patterns_and_practices.pdf
    • http://rowomonug.mywebcommunity.org/croydon_council_housing_benefit_application_form.pdf
    • https://zonuloxovuge.weebly.com/uploads/1/3/4/4/134469127/mapetilofotuk.pdf
    • http://pinegobojefo.getenjoyment.net/amplitude_shift_keying_theory.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/matogapibelifiv/2215308463.pdf
    • https://s3.amazonaws.com/pujirageg/how_to_access_fire_tv_recast_remotely.pdf
    • http://pulitisagot.atwebpages.com/antiquities_of_the_jews_by_flavius_josephus.pdf
    • https://e691ad07-92dc-45fa-af10-8929b4045ede.filesusr.com/ugd/87b9a8_01c9125dfa4747ce8e91ce5b00ce0cf0.pdf?index=true
    • https://82a15d5c-09b3-4b2c-b6d5-cdf01964cb25.filesusr.com/ugd/5adcb9_4cc7fb597d2242f3941ad6801367b5fe.pdf?index=true
    • https://7162f0c1-3bb2-4775-9ad2-1e34613fb889.filesusr.com/ugd/595093_f319a424f8d840ef99f2fdaf6092d19e.pdf?index=true
    • http://saxodanokijaj.atwebpages.com/digital_literacy_test.pdf
    • https://s3.amazonaws.com/najipavez/genworth_self_employed_income_calculation_worksheet.pdf
    • https://d4996ccb-aecf-47c4-aab6-3c4fe022e1b7.filesusr.com/ugd/b7ed05_c1ddd2a559534eac9ea9b7d3d4245a47.pdf?index=true
    • https://s3.amazonaws.com/wolawatin/fedex_customer_service_complaint.pdf
    • https://0b21792c-a699-4cf4-8833-5910c6ad58af.filesusr.com/ugd/b0b521_2de7e16447b04b5c8cad7328759ed864.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd25.bin
d71cdb16813f5f2f18322bbdc50e5b5077df832c85761ea6ff11990ddb17e208		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD25 4892 bytes
font_01_sfnt_off00010de8.bin
9e9aad4bf73d5b1d375501d99d88ab1b029a480f759a8997d944d91da95e9880		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DE8 10560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.