Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fc9c1ad64d634f2…

MALICIOUS

PDF

78.5 KB Created: 2021-03-31 21:37:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ee89f47d0b75d1593010635b5c92a033 SHA-1: 238077e8cb6669fcb8b1c19a9db3534c0e878a89 SHA-256: 7fc9c1ad64d634f21c0c860f43a1d661de24de0cf0a041c1224ebdf0d875e224
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of multiple external URLs, including one that appears to be a tracking or redirection URL, suggests an attempt to lead the user to a malicious site. The document body, though heavily obfuscated, contains metadata that could be used to disguise the malicious nature of the PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=mrs.+james+guthrie
    • http://jopagozopive.medianewsonline.com/as_bases_quimicas_da_vida.pdf
    • http://forexgeeks.net/3157406010psf16.pdf
    • https://static.s123-cdn-static.com/uploads/4408599/normal_5febdae0a4487.pdf
    • http://lotto-investclub.com/what_is_the_importance_of_critical_thinking_in_making_a_decisionutwkj.pdf
    • http://polypak.site/72455297941bst8p.pdf
    • http://flowerport.store/51133413516y4x87.pdf
    • https://cdn-cms.f-static.net/uploads/4477173/normal_600d4175b39aa.pdf
    • https://cdn-cms.f-static.net/uploads/4403672/normal_601006044ad93.pdf
    • https://cdn-cms.f-static.net/uploads/4374953/normal_605dd8669d408.pdf
    • https://cdn-cms.f-static.net/uploads/4460471/normal_5fd8f80574a15.pdf
    • http://tozofuji.scienceontheweb.net/mefusafotazogul.pdf
    • http://prizinsta365.online/what_do_pink_sunset_meanrr3ov.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://023e3b0e-89aa-4e00-bd19-175c11a0a9c0.filesusr.com/ugd/5f4883_38f1e1bc682b4bc7b7dff492f48d75ff.pdf?index=true
    • https://41d9b059-0b17-466b-96e6-f31a3f3e9b19.filesusr.com/ugd/f1ead9_1fd6efb0a74b4df68914fcc59402c0a8.pdf?index=true
    • http://kadoxosin.atwebpages.com/garmin_delta_xc_review.pdf
    • https://uploads.strikinglycdn.com/files/714ed6a9-b21d-4cee-9060-882586859223/70266596680.pdf
    • https://uploads.strikinglycdn.com/files/25ee6a63-1bd7-4241-adb2-e36e93d4aba3/31694209962.pdf
    • https://uploads.strikinglycdn.com/files/60ccdf30-1196-41d6-a02f-b078b9d4595d/52481641847.pdf
    • https://b23ebcb4-2e41-4c68-a408-584c84124782.filesusr.com/ugd/5a2446_009d54b55e3d48298b9e310fb85611b9.pdf?index=true
    • https://85fc0914-20e3-4f1c-be8c-de7e6f89f47e.filesusr.com/ugd/a44510_6b5f2600c6004fb8bba0972a10ef7158.pdf?index=true
    • https://944456f3-75eb-4cd6-bbfd-656b3713ada1.filesusr.com/ugd/2c8d66_91c936470b4e4d0281c03d7387efcd38.pdf?index=true
    • https://ffb80149-315c-4936-8637-e87477b606fc.filesusr.com/ugd/e7410d_6ff668273a7b438491bb1e632e4be7ad.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8a15a00a-c6fe-40e9-adc9-182cd50bfc45/58192693231.pdf
    • http://lipeporo.onlinewebshop.net/mitepivek.pdf
    • https://441768bb-9839-4df4-8f78-dd1233b527f6.filesusr.com/ugd/7e6080_a57187adb6534d28ba53e4375e0f89fa.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3f2.bin
5be955fe9de0ddca5d7dacbdad718cc3324a2a08213232625d29c83251aa8a90		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3F2 5180 bytes
font_01_sfnt_off00010579.bin
8a50a15d5af1daadfe43ea01bd2fac049860aaf791af9b7d357869038b667f1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10579 11476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.