Malicious PDF — malware analysis report

Static analysis result for SHA-256 85fd60eea0d96f59…

MALICIOUS

PDF

75.3 KB Created: 2021-03-23 16:30:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aeca6d7dd4a51d7c81bbee8992154641 SHA-1: 759031df67cbe250ded6927abbc8f93462b45035 SHA-256: 85fd60eea0d96f5982e5b7252173b38c77abb9099ea77b40ef3bb3712b336b65
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to a suspicious domain, which is likely intended to lead the user to a phishing or malware distribution site. The document body, though heavily obfuscated, suggests a lure related to programming a universal remote, which is a common tactic for phishing or social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=how+to+program+directv+universal+remote+to+receiver
    • https://cdn.sqhk.co/wepiwuvume/WicgWqG/mijn_simyo_account_aanmaken.pdf
    • http://zoomita.fun/62539915337btuqo.pdf
    • http://wabuxon.iblogger.org/witineleziberilusuto.pdf
    • http://kogefidol.iblogger.org/78263635686.pdf
    • https://cdn.sqhk.co/kosifodalab/dqZAjaC/pojasiwifodipewekavino.pdf
    • http://cloudmarket.website/xikolafixelozrvml6.pdf
    • http://zutasategudek.22web.org/69451617420.pdf
    • http://my-favshoph.online/94760839878wbsi1.pdf
    • http://relax35.ru/coleman_powermate_3000_generator_partsb5xhb.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://pigosoj.epizy.com/merry_christmas_animated_gif_free.pdf
    • https://s3.amazonaws.com/jevopemosod/88504371098.pdf
    • https://s3.amazonaws.com/wofaxil/28520383241.pdf
    • http://zepedijuva.epizy.com/miracle_box_2._58_crack_mega.pdf
    • https://s3.amazonaws.com/lijopavexanuse/el_hobbit_libro_ingls.pdf
    • https://s3.amazonaws.com/lusegokaves/marafixiwideturenuge.pdf
    • http://pusolegulijased.rf.gd/99564019318.pdf
    • http://xupanapil.epizy.com/one_of_the_wu-tang_clan_members_for_short.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e89b.bin
dcdb10ab433696b87b4c331cf1e430a01f9e24b989c4231af8f0bc60b2b588b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE89B 5504 bytes
font_01_sfnt_off0000fb58.bin
e9ddcfbe1f8a99baaa4148912dd6d27a47d346ee60acd7b07b2321fb48ab9b4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB58 10712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.