Malicious PDF — malware analysis report

Static analysis result for SHA-256 80d2d169cc361819…

MALICIOUS

PDF

92.8 KB Created: 2021-03-16 17:51:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6529db8784fe1a1eb1113e41aa9f94fd SHA-1: d28970b2a33f8b0d9f5c263b3b941217300f610d SHA-256: 80d2d169cc3618190f827bb775981c6074956275d1dd3a8683af22c15b79bdf1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a URL that appears to be a lure for an application form. ClamAV detection and ML classification strongly indicate maliciousness. The presence of multiple external URLs suggests an attempt to redirect the user to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=application+form+sainik+school+entrance+exam
    • https://jetovalanowu.weebly.com/uploads/1/3/0/7/130739462/8502c8e4a.pdf
    • http://nenugatigubom.66ghz.com/aahat_serial_title_song.pdf
    • https://bodadesoka.weebly.com/uploads/1/3/4/2/134234706/xuzezarapapobub_poxawo.pdf
    • http://nunejabu.scienceontheweb.net/mcdonald_s_menu_with_prices_sa.pdf
    • https://retedavaliloxi.weebly.com/uploads/1/3/5/3/135393755/surevasenijimogutez.pdf
    • http://lozejebivo.scienceontheweb.net/how_to_clean_a_dirty_mop.pdf
    • http://dirozigumifew.scienceontheweb.net/4236699914.pdf
    • http://nizavevorupuj.mywebcommunity.org/39378771131.pdf
    • http://nizavevorupuj.mywebcommunity.org/how_much_is_sonic_milkshakes.pdf
    • http://fejukoturig.medianewsonline.com/taxig.pdf
    • http://towufato.mywebcommunity.org/vegan_instant_pot_cookbook_barnes_and_noble.pdf
    • http://lumejaramelu.mygamesonline.org/74116286385.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • http://bovubodomumid.epizy.com/wadixa.pdf
    • https://s3.amazonaws.com/nimuwet/xofejebewuguwebokigudute.pdf
    • https://s3.amazonaws.com/xepululejiwof/aldi_talk_app_mac.pdf
    • http://suxanovovogemi.rf.gd/jaxovijone.pdf
    • http://kugikejovapav.rf.gd/fupokajexosorij.pdf
    • http://zimemotom.rf.gd/vagofobejuxurefovokoletu.pdf
    • https://s3.amazonaws.com/rojalexipokadaz/dapisigubekuso.pdf
    • https://s3.amazonaws.com/xovekolamoxe/xezagedirenemuxizix.pdf
    • http://lonesopuw.onlinewebshop.net/17353035880.pdf
    • http://kizufalugomux.atwebpages.com/different_parts_of_the_brain_and_their_functions.pdf
    • http://vogojitipam.epizy.com/young_alexander_the_great_movie.pdf
    • https://s3.amazonaws.com/xilasisefi/febotuluwapapef.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f021.bin
c7b75a1438b3d5ec82a1e1f1137ad6d6ddedf5fca6bfd4f4ee1485103610e458		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF021 5164 bytes
font_01_sfnt_off0001016d.bin
d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1016D 3720 bytes
font_02_sfnt_off00010cd0.bin
b532b511cbb21382f711d676f9c98bb31d5d53996e149bf09f927d1e30047edf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CD0 10788 bytes
font_03_sfnt_off00013198.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13198 4324 bytes
font_04_sfnt_off00013f99.bin
88ce45de27efd48412e6f935a7a4c95166ca3708c97db239160de09fc1b36da3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F99 11912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.