Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f7bded627f8d229…

MALICIOUS

PDF

350.3 KB Created: 2021-04-04 09:55:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1fe3514fba7f186918fb098b5765df3f SHA-1: 7a79c4bb729e04273f5d04ba927710745d00ab32 SHA-256: 7f7bded627f8d229ec8fcfe51779bf7915cdbb85191508c4a2ce9bc6d396df76
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with heuristics indicating embedded URIs. The document body, though partially corrupted, suggests a lure related to 'vascular cambium PDF'. The presence of multiple unknown reputation URLs strongly suggests an attempt to redirect the user to malicious content, likely for phishing or malware delivery. No scripts were extracted, but the PDF structure itself likely contains malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9471

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=structure+of+vascular+cambium+pdf
    • http://javefuxola.getenjoyment.net/xutuvojofa.pdf
    • https://cdn.sqhk.co/tezofugowura/dniaZib/vibojamep.pdf
    • http://veselutut.mywebcommunity.org/95293383151.pdf
    • https://puduwuxibipufu.weebly.com/uploads/1/3/5/9/135966859/4429695.pdf
    • https://limorevoxa.weebly.com/uploads/1/3/4/6/134611026/wugaxitarigi.pdf
    • http://diluzadumavotux.getenjoyment.net/pisogo.pdf
    • https://cdn.sqhk.co/domojegibuze/awi6igs/report_phishing_apple_uk.pdf
    • https://cdn.sqhk.co/mirofifuba/hfbhegg/lobby_nj_bottle_menu.pdf
    • https://waforavorodi.weebly.com/uploads/1/3/4/3/134314120/jobojojofuzid.pdf
    • http://vurujupafowutox.mypressonline.com/48826979114.pdf
    • https://cdn.sqhk.co/potekovibe/hiieif2/inferno_violin_sheet_music.pdf
    • https://cdn.sqhk.co/xedaberetaj/Jjjjjgt/vafixize.pdf
    • https://wuxigato.weebly.com/uploads/1/3/2/6/132680835/fe345.pdf
    • https://noruwapawufibem.weebly.com/uploads/1/3/0/9/130969999/jopeduxe.pdf
    • http://dipazekonowa.mypressonline.com/lawajofuletarime.pdf
    • http://nitafibejuze.mygamesonline.org/pojagowadiwamedifafutojo.pdf
    • http://muxoman.mygamesonline.org/area_of_irregular_shapes_worksheet_4th_grade.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/14e871f5-1a60-42bb-a12f-2f3b62b0711e/parabody_ex350_home_gym_for_sale.pdf
    • https://uploads.strikinglycdn.com/files/83a44a44-b699-4b09-8234-8fd128e92b92/louis_althusser_ideology_and_ideological_state_apparatuses_summary.pdf
    • https://uploads.strikinglycdn.com/files/de105c11-aef7-4d37-819f-cec7c7786f57/73827294997.pdf
    • https://uploads.strikinglycdn.com/files/d23d980f-7418-4c1f-97ea-189838eaaa7e/warm_bodies_soundtrack_missing_you.pdf
    • https://uploads.strikinglycdn.com/files/7016fd81-be75-43b7-b5be-b68897fa6596/new_tax_laws_for_landlords_2020.pdf
    • https://uploads.strikinglycdn.com/files/d34cb38f-9a3a-407f-bf9a-41c5e4592fe1/why_wont_my_hp_officejet_pro_8600_print.pdf
    • http://jokosen.atwebpages.com/english_newspaper_today_download.pdf
    • http://robefowoved.onlinewebshop.net/zakopunazolewikizokonoje.pdf
    • http://nizofikunatafu.atwebpages.com/38308265179.pdf
    • https://uploads.strikinglycdn.com/files/a0743f4f-2ebf-4bf1-9318-235995878783/where_can_i_get_gluten_free_food_near_me.pdf
    • https://uploads.strikinglycdn.com/files/f9a0178e-2008-4a3b-b217-cdc8bead09c9/interior_designing_online_free.pdf
    • https://uploads.strikinglycdn.com/files/424c8564-5cec-4c8c-b520-565678a29ed0/tp-link_tl-wdr4300_setup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005137d.bin
2ef0cf0c78811f8f8b2592408adb772d1484ca0920a52bba0bfa193480756a39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5137D 5604 bytes
font_01_sfnt_off00052679.bin
4a471f3ea2a4acb630ce67f115e1ffc91fdd724db9ddfe30336f52cb3fe45eb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52679 14352 bytes
font_02_sfnt_off0005535c.bin
43dd7310e986e37c0562d6efd2a67b6291a0d41fa892ecd43b306c3e7231f7b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5535C 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.