Malicious PDF — malware analysis report

Static analysis result for SHA-256 80691c8733bbfac4…

MALICIOUS

PDF

77.0 KB Created: 2021-05-24 21:21:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: 6a43d1f4bed7b267233804eed947c951 SHA-1: 75edd32c0f888e794541b797bdd206869c6e50e0 SHA-256: 80691c8733bbfac4f2afb79300abc7a69bb148a78e7b5834216b28536da6cc98
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to 'soxebez.ru', which is likely used to deliver a malicious payload or conduct phishing. The document body, though heavily obfuscated, suggests a lure related to a book summary, consistent with social engineering tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=harry+potter+and+the+deathly+hallows+book+summary PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4366661/normal_602ed0d2e32d9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489852/normal_604510f8cda97.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4388613/normal_5ff1400bc3ef1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379491/normal_602129922dee8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379605/normal_605b070d80f09.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4383704/normal_605f9bfe4739d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4454999/normal_600cc1fa2e744.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4367937/normal_5fec768eb30b5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476946/normal_601a640c3818a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388421/normal_5fd8d59b65322.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4489586/normal_6000e59b7dd47.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402481/normal_6019c16ddc350.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4372072/normal_600a79c9319d1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485153/normal_6039a13f20a9b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4404497/normal_6019d9782e310.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4483336/normal_5fec4b74a8832.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4455881/normal_606715145b27f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d876118f-3f85-458b-acaa-8db423260e1a/wukuwazovizelovaw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2fb7997-6afb-492b-b48a-09cd9b05e3ea/request_letter_format_for_tender.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8ed1ab2-23eb-4773-9c0f-5b9f4cd6829f/86667216071.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ada17a0-a343-4d42-b41e-390f96748ec7/star_trek_discovery_episodes_free_online.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1e8cf3a9-00eb-4df8-9779-bc85eafed790/12854926086.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f0ea6a4-6135-4828-a1cc-773426b04524/fexawowa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d7160c15-d2e4-4002-89bf-e5f7cd7e23f1/guitar_fingerpicking_exercises_youtube.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b45857e2-240f-4e91-9e48-7bbcf62aea9c/rudusu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e2733e03-ad29-47e5-8823-998710c70af5/do_samsung_galaxy_buds_have_a_warranty.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED8F 5560 bytes
SHA-256: d6b65cc6daa510619684f46b291510faf5133f6289b664f4842f758673b694eb
font_01_sfnt_off0001005a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1005A 11124 bytes
SHA-256: 35f85104a5d9c73ae6a9de7f173aba65fe7b6b65f0b656ecea44fdd1a40c6310

Open this report in the interactive analyzer, or submit your own file for analysis.