Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fb5c24f86ee96fd…

MALICIOUS

PDF

89.2 KB Created: 2021-06-07 05:57:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab008375e7d9cfa317492fc6b183fd51 SHA-1: 718df5294249ec8765c84f9a45878986e80b4ef6 SHA-256: 7fb5c24f86ee96fda762f81978f8030ab9d73ba110aea4d191cd82a2ee9171fa
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing purposes. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest an attempt to redirect the user to a malicious site, which is a common tactic for phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=stark+county+family+court+magistrates
    • https://cdn-cms.f-static.net/uploads/4422392/normal_602ab010bd0d6.pdf
    • https://cdn-cms.f-static.net/uploads/4426409/normal_601ef8fd5b781.pdf
    • https://static.s123-cdn-static-d.com/uploads/4374986/normal_60b153e823cd7.pdf
    • https://static.s123-cdn-static.com/uploads/4388177/normal_5fcb9df70a3d2.pdf
    • https://static.s123-cdn-static.com/uploads/4446158/normal_60076dd0c75dc.pdf
    • https://cdn-cms.f-static.net/uploads/4479433/normal_60360b1bafa75.pdf
    • https://static.s123-cdn-static.com/uploads/4450632/normal_5fe5c32d946be.pdf
    • https://static.s123-cdn-static-d.com/uploads/4378608/normal_60b4a739d63d5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://devopiporo.pbworks.com/w/file/fetch/144738234/rise_of_empires_ice_and_fire_best_orange_heroes.pdf
    • https://uploads.strikinglycdn.com/files/2e38aab6-7495-4dde-9c0b-822f584ef80d/why_does_my_lenovo_laptop_say_plugged_in_not_charging.pdf
    • http://natutaliva.pbworks.com/w/file/fetch/144664119/wujuvoras.pdf
    • https://uploads.strikinglycdn.com/files/3a98eeb0-c17e-4438-9fcd-1f703fb37219/basic_math_facts_test.pdf
    • https://uploads.strikinglycdn.com/files/2633880d-4bda-45d9-bf12-ba846c876870/snow_microsoft_office_365_connector_user_guide.pdf
    • http://tekitejug.pbworks.com/w/file/fetch/144671643/zajiwobilidakaweti.pdf
    • http://bavudexote.pbworks.com/w/file/fetch/144751539/derecho_romano_eugene_petit_descargar_gratis.pdf
    • http://kafunujazuwo.pbworks.com/f/how_are_carbohydrates_digested_in_the_stomach.pdf
    • https://uploads.strikinglycdn.com/files/f09c9b27-60cf-4b62-8bce-d5b9dcd6542a/xejelediketefopagesuzat.pdf
    • http://sikovifif.pbworks.com/w/file/fetch/144471507/how_to_identify_vintage_cast_iron.pdf
    • http://ruwezebom.pbworks.com/w/file/fetch/144772239/bewukugem.pdf
    • http://xefobukeza.pbworks.com/w/file/fetch/144758487/94762668252.pdf
    • http://tefimemovem.pbworks.com/f/halloween_hologram_projector_uk.pdf
    • https://uploads.strikinglycdn.com/files/bb3a69db-ed4d-4f22-82a0-6a868ef40150/how_to_learn_english_fluently_in_30_days.pdf
    • https://uploads.strikinglycdn.com/files/bf4ec2ea-d51c-4adc-85c7-53478b816649/bobop.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000107c6.bin
d48b56530519b157f8d4d41f405f4dd8e6c9d2b10a20dba5b8b6cd0df6c49f12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107C6 5352 bytes
font_01_sfnt_off000119e6.bin
b585175771c1bbd1e6fac8d560973d14ed1d3a666cd9bcf3bb9f0a3e4c89f93b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119E6 14064 bytes
font_02_sfnt_off00014731.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14731 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.