Malicious PDF — malware analysis report

Static analysis result for SHA-256 818d4471a1166c0d…

MALICIOUS

PDF

77.1 KB Created: 2021-04-03 21:09:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2e24517706bcd721ad14889814a2bd0 SHA-1: 7fcd5d49924ef09d4927acb9232f5c4cbef08dee SHA-256: 818d4471a1166c0d1c0023a75148f7aac2ad9294ab2b2170c199813c21748629
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely intended to trick the user into visiting a malicious website. The document body, though heavily obfuscated, suggests a lure related to educational materials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=mental+maths+questions+for+class+4+cbse+pdf
    • https://cdn-cms.f-static.net/uploads/4446036/normal_6017d41b3ad3b.pdf
    • https://cdn-cms.f-static.net/uploads/4393197/normal_601ce64993a5c.pdf
    • https://cdn-cms.f-static.net/uploads/4477139/normal_5fd6ea0802a31.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://96a9e3af-f0c3-4048-9e6c-0ad8da3c6018.filesusr.com/ugd/15d534_3fb796da335f4874a467075c2062b4a4.pdf?index=true
    • http://vezoxonu.epizy.com/40823019256.pdf
    • https://uploads.strikinglycdn.com/files/719a9e8a-6a4d-4e50-bb02-127816b02cda/negafevosoxuwurenilomusi.pdf
    • https://ef2e072a-e8a2-4438-804d-cc750be2e2f6.filesusr.com/ugd/6a22cb_0d531554f8724c168c4bc513112867eb.pdf?index=true
    • https://s3.amazonaws.com/nopomewegobij/bzero_vs_memset_performance.pdf
    • https://107a3552-ed21-4f5d-95e3-510b6eae4444.filesusr.com/ugd/21bbef_d1082dead9ed4751ac97fc1b2f43811c.pdf?index=true
    • https://8eefcaf3-52f5-4123-8be5-b1f0aaeea45e.filesusr.com/ugd/1d3654_bff44b21f3c84a30bbaaafe268983fb6.pdf?index=true
    • https://4095172d-bd2f-4181-91d7-dd424e653400.filesusr.com/ugd/df73ab_5bba7e61bd3f4a77ba131b0af1cb7a46.pdf?index=true
    • https://s3.amazonaws.com/davubewu/fox_tv_guide_los_angeles.pdf
    • https://fed4949e-3809-4fc0-a28b-84c5d390f589.filesusr.com/ugd/94482e_f24f4f6292544426ad16547fd0423a1a.pdf?index=true
    • https://4f640d82-8365-4c22-93d6-dbd3427c3fb0.filesusr.com/ugd/55e8b7_80cb7d911b4d42ad8218d35f8c5f9da8.pdf?index=true
    • https://2e81f42f-67f9-46a9-89e2-a5f3ab3b03ee.filesusr.com/ugd/f138f5_0ccdbf8be44e48909fc3b6173d45e501.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3ca4ced0-66f5-4a0e-afc2-ee085269dfa8/chrome_flash_support_version.pdf
    • http://rujipezoj.epizy.com/45653669405.pdf
    • https://s3.amazonaws.com/pewibim/52883431092.pdf
    • https://s3.amazonaws.com/lefemijip/54266574388.pdf
    • https://s3.amazonaws.com/poguvelefa/64815612364.pdf
    • https://uploads.strikinglycdn.com/files/fe55b1b5-3b08-49c0-84be-e1764dc26e87/busurabuguferu.pdf
    • https://uploads.strikinglycdn.com/files/f8f8c4a4-f51e-4f37-88a0-7d44dcf4636c/environmental_impact_assessment_process_slideshare.pdf
    • http://sefatefa.epizy.com/android_os_for_desktop_pc_free.pdf
    • https://uploads.strikinglycdn.com/files/2861add0-b9c9-4cbc-8f4f-f486733ea9a2/voyager_legend_uc.pdf
    • http://pamubaj.epizy.com/51901314388.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee98.bin
009008c93b4ef59ea6e1affd5ee006720d9a5134021377088c4fae3674f46618		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE98 5752 bytes
font_01_sfnt_off00010207.bin
63232a5a16c15fc4af8b1be301651b3669d9e10e55b91afcf03ffff7492ec166		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10207 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.