Malicious PDF — malware analysis report

Static analysis result for SHA-256 877fbb474238e7d6…

MALICIOUS

PDF

75.8 KB Created: 2021-03-24 00:22:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 186bff8f9acce392e528c3a5caec93cd SHA-1: 2c695b02474b8349d294886790f6bf5046ec3101 SHA-256: 877fbb474238e7d65275471c05b7d6c993c4b4fa7e1a707b5d13471dd60dd460
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to a suspicious domain, 'seumenha.ru', which is likely used for phishing or to host a secondary payload. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of the malicious URL strongly suggests a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9948

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/123?utm_term=burdah+ensemble+al+madad
    • https://static.s123-cdn-static.com/uploads/4481170/normal_5ffe4127592a5.pdf
    • http://xuzerujagojagip.scienceontheweb.net/accenture_accounts_interview_questions_and_answers.pdf
    • https://cdn.sqhk.co/pefisemise/j0tydia/ponigimoxigagidef.pdf
    • https://cdn.sqhk.co/silakozafi/dhfaiav/girlfriend_plus_apk.pdf
    • https://cdn.sqhk.co/kekotenonaxu/hehgghU/44905129149.pdf
    • https://cdn.sqhk.co/dixobiwi/ojhjgyy/shareit_apk_download_2020.pdf
    • https://cdn-cms.f-static.net/uploads/4450259/normal_603859bdd7b82.pdf
    • https://static.s123-cdn-static.com/uploads/4499979/normal_5fd0910a38ee4.pdf
    • https://static.s123-cdn-static.com/uploads/4413976/normal_5ff604d84d22d.pdf
    • https://cdn.sqhk.co/wularumijif/rje61gi/gajek.pdf
    • http://nevinidonet.mywebcommunity.org/the_heiress_movie.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/9d04ddf4-9866-4f91-ac4a-90d559280765/my_garbage_disposal_leaking_from_bottom.pdf
    • https://s3.amazonaws.com/jevedijadiki/street_stick_fighter_mod_apk.pdf
    • https://s3.amazonaws.com/jovekus/free_online_quran_hifz_classes_pakistan.pdf
    • https://uploads.strikinglycdn.com/files/495076e1-7376-41e4-bf8f-d18def626154/best_jump_starter_with_air_compressor_2020.pdf
    • https://s3.amazonaws.com/wibadinavosunom/50561083697.pdf
    • https://s3.amazonaws.com/fedure/27322826868.pdf
    • https://s3.amazonaws.com/loneminovu/what_is_the_call_of_cthulhu_about.pdf
    • http://luvabokinoleg.onlinewebshop.net/sirunula.pdf
    • http://rujidafedisezu.atwebpages.com/abdomen_agudo_en_pediatria_2020.pdf
    • https://uploads.strikinglycdn.com/files/9522dcbe-2d5f-428b-ba7e-403b19805f3a/zixifufinave.pdf
    • http://naxesabefadufu.atwebpages.com/tertullian_on_baptism.pdf
    • https://uploads.strikinglycdn.com/files/a2423495-d0be-4431-a540-47d087f37b94/craftsman_briggs_and_stratton_lawn_mower_625_series_parts.pdf
    • https://s3.amazonaws.com/pibabopuduj/pibigazitebaxomuwebusal.pdf
    • https://s3.amazonaws.com/pobixedele/fezenufonowibuxuborunuw.pdf
    • https://s3.amazonaws.com/ladiwuzetawedi/form_for_passport_renewal_child.pdf
    • https://uploads.strikinglycdn.com/files/4de9ebec-08d9-4d12-92f8-bdf5e3d5c512/bezigif.pdf
    • https://s3.amazonaws.com/dosipive/risk_management_cost_benefit_analysis_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc5b.bin
ee83405ce14c958cba62bba3b0606ad0c85f4a0501ac54fe79aebc484f63f6b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC5B 4900 bytes
font_01_sfnt_off0000ecbc.bin
54fb61b40c7680fbc33a559f6cd05298829a2b911fd3a42443ef6c764301b619		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECBC 11340 bytes
font_02_sfnt_off00011360.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11360 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.