Malicious PDF — malware analysis report

Static analysis result for SHA-256 80a5b78a359e74e7…

MALICIOUS

PDF

82.1 KB Created: 2021-03-20 17:09:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d43924185a96c77bb6ffa39acd0963cf SHA-1: 7964df069238b428e5dfe87e2c40c7d55860b51d SHA-256: 80a5b78a359e74e7b3768912bdb864b0fb4cacc9a796521bbcb14193e01b7d61
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded URLs that lead to potentially malicious content, as indicated by the ML classifier and ClamAV detection. The document body, though heavily obfuscated, suggests a lure related to car upgrades, likely to trick users into clicking the embedded links. No scripts were extracted, but the presence of external URIs and the overall detection profile strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/wix?keyword=2006+scion+xb+manual+transmission+upgrades
    • https://cdn-cms.f-static.net/uploads/4412151/normal_6026c97a4c985.pdf
    • http://walolexokesufa.sportsontheweb.net/manifiesto_comunista_marx_y_engels.pdf
    • https://cdn-cms.f-static.net/uploads/4414491/normal_6015008779de0.pdf
    • http://pabobadoxowoti.22web.org/wirubozusatak.pdf
    • https://cdn-cms.f-static.net/uploads/4487906/normal_601ee50960bac.pdf
    • https://cdn-cms.f-static.net/uploads/4461216/normal_5fd0e3d474172.pdf
    • https://cdn-cms.f-static.net/uploads/4370059/normal_603149a95a24d.pdf
    • http://borejukeluteva.mygamesonline.org/can_i_use_my_linksys_router_as_a_range_extender.pdf
    • http://ita-yog.space/beach_buggy_racing_xbox_one9we8h.pdf
    • https://cdn.sqhk.co/xobupiba/cjg4wtR/71215562259.pdf
    • https://cdn.sqhk.co/keridola/dhjjajb/download_modern_critical_warfare_action_offline_games_2018.pdf
    • http://marafonsport.site/775689160290utgr.pdf
    • http://fortuneo-enligne.com/gojatibogoc2x3j.pdf
    • https://static.s123-cdn-static.com/uploads/4469104/normal_5fc8e14f313ee.pdf
    • https://static.s123-cdn-static.com/uploads/4371498/normal_5fde0d9a7152d.pdf
    • http://odebayitrafikhizmeti.com/43804822551tq6ae.pdf
    • https://cdn.sqhk.co/zogobadakedu/Ahbgewv/finding_golf_balls_with_uv_light.pdf
    • https://static.s123-cdn-static.com/uploads/4379837/normal_5fff7cb166b64.pdf
    • https://cdn.sqhk.co/xoxujagemo/9biaicD/classifying_real_numbers_worksheet_algebra_2_answers.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://surusulo.rf.gd/netflix_error_22005.pdf
    • http://sofidubanelen.epizy.com/67104138282.pdf
    • http://ropofijegeja.epizy.com/denon_avr-x4000_price.pdf
    • http://judiserod.onlinewebshop.net/gtx_970m_3gb_vs_1050_ti.pdf
    • http://gafomuxapo.epizy.com/wuzed.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fed1.bin
3f7c58cc86d02c6d9ee05deb8b84e16c0dd0a89a84ea49a76cfc5cfaf65ec95b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFED1 5932 bytes
font_01_sfnt_off000112db.bin
3ede7c12beed7b40b1e8fcd3a4a855846a1a003324e2caddccdc15ddda9756fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112DB 11184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.