Malicious PDF — malware analysis report

Static analysis result for SHA-256 82856509e0729b1c…

MALICIOUS

PDF

106.3 KB Created: 2021-03-18 16:26:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3a07b67e2e4b08ed683961326a94400 SHA-1: 456df55c22592b3c22e2d23aac9e9d8b97a803a1 SHA-256: 82856509e0729b1c65ec2cb80529dfbd800bbdd10c7b90a7750e66689931db90
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a URL that mimics a software download page, likely to trick users into downloading a malicious payload. ClamAV and the ML classifier also flagged this PDF as malicious, indicating a high likelihood of malicious intent. The document body text, though garbled, includes terms related to software downloads, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=pygame+download+for+python+3.6+windows+64+bit
    • http://olymptrade.buzz/48843170975dy1vt.pdf
    • https://cdn.sqhk.co/mujutuzidip/HjfaijJ/28087740142.pdf
    • http://uscreditinquiry.info/5082617018cc3pg.pdf
    • https://cdn.sqhk.co/zizaratijiga/djjhihc/8414055539.pdf
    • https://cdn.sqhk.co/jexerigix/pgfVvUo/calc_clean_philips_azur_performer.pdf
    • http://newberginvestmentproperty.com/how_to_turn_on_polaroid_zipfipl8.pdf
    • http://erza.egloos.com/4309628���
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://satelit.rf.gd/89022015674.pdf
    • http://dimakadube.epizy.com/4078770161.pdf
    • http://vepibali.rf.gd/gy6_engine_for_sale_200cc.pdf
    • https://6b54b0b2-91db-43cc-88c8-bbc4f7e20b37.filesusr.com/ugd/a773aa_7ee86154fe9c4dd8a3359bc3869f81c5.pdf?index=true
    • https://9480ebe7-8096-4165-94d5-b35dd525e9f4.filesusr.com/ugd/07b43d_79f00f8bf00c4b26aec613c276c6361e.pdf?index=true
    • https://a2214900-82f6-4ed5-a432-d5ffd14110fa.filesusr.com/ugd/306b6b_478cd0cff80f418cbbf57ca612d4f97d.pdf?index=true
    • http://misiwoferejisuj.rf.gd/reregazizewujisevup.pdf
    • http://ganibozebuzar.rf.gd/tachycardie_atriale.pdf
    • https://56f9ebfc-1b58-4ccd-90b9-24793863e956.filesusr.com/ugd/0f3536_4d0ac35f75f34244b7a76c961ae656df.pdf?index=true
    • http://fokavugepiromi.epizy.com/rotasedafuratexe.pdf
    • http://tanikotik.epizy.com/pigurategizuvizetuju.pdf
    • https://76c9fb28-c10e-4950-85be-37de24a2ede8.filesusr.com/ugd/fa32a6_a12df25e5038428e84c9087a72b3e03f.pdf?index=true
    • http://garolelawugo.epizy.com/hindu_baby_girl_names_starting_with_a.pdf
    • http://tedijafubivot.epizy.com/jivukabopawodog.pdf
    • http://nolonogatifotop.epizy.com/nigiwenubanigalen.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f82b.bin
de7cda8c386178e7c6fc0e5e3a37266ffd4b35cec51ccf097b86f64355c4bc82		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF82B 27348 bytes
font_01_sfnt_off000146a2.bin
60e3a68565dcc7fd928ec40bb90f0a25b377a1c4133825245b1e33e6b5ccdb19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146A2 6228 bytes
font_02_sfnt_off00015bcc.bin
45944f7f6dc175e2f8cdbd80553a0504b2710690cd96dc878251182bb4e01f28		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15BCC 11268 bytes
font_03_sfnt_off00018222.bin
ccd30ce2e8429c1173ddc1a5adb99ed25d65aa9fa5b674466418759e58bebf4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18222 16524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.