Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b0d77a8c3315d9e…

MALICIOUS

PDF

91.5 KB Created: 2021-03-31 04:18:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3091f74389b55a964ca3766d0a2ef352 SHA-1: 6fc9ce57eb7564099c433cb7572d20e56f09e6f2 SHA-256: 8b0d77a8c3315d9e23c9878f67ca873fc2b354ceb5292d006666e5fd2692bacd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. The embedded URL points to a domain that is likely malicious and attempts to disguise itself as a link to a book. The ML classifier also strongly indicated maliciousness. The document body contains garbled text, suggesting it is not intended for direct user consumption but rather to host malicious content or exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=libro+el+secreto+ley+de+la+atraccion
    • http://bebobez.22web.org/xbox_one_controller_keeps_disconnecting_pc_reddit.pdf
    • https://cdn.sqhk.co/jevikepuja/Zxoec1t/80180367965.pdf
    • http://dabatimogumerek.iblogger.org/cuanto_equivale_1_8_de_pulgada.pdf
    • https://cdn.sqhk.co/rasetiwulipu/OsVhaia/bumper_cars_on_ice_nyc_hours.pdf
    • https://cdn.sqhk.co/letarezetap/CtjdgtM/fast_money_halftime_report_cnbc_fix.pdf
    • http://berefiruzo.mygamesonline.org/truyn_andersen.pdf
    • http://povulofi.mywebcommunity.org/povijiked.pdf
    • http://koponegigat.medianewsonline.com/5e_critical_hit_poison.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gabifuzof.rf.gd/12456698318.pdf
    • https://uploads.strikinglycdn.com/files/d1511167-38d8-44a1-bc3c-a965e6624647/how_to_get_netflix_on_wd_tv_media_player.pdf
    • https://uploads.strikinglycdn.com/files/8222df74-2d3f-4cea-a419-acf4ad59ba97/123_magic_parenting_course_cheshire_east.pdf
    • https://uploads.strikinglycdn.com/files/38a60f38-4f90-4152-8eaa-fbec12cc031c/easy_way_to_learn_korean_language_for_free.pdf
    • http://medexode.atwebpages.com/2016_amc_12b_answers.pdf
    • http://kogiwosewa.rf.gd/social_identity_theory_psychology.pdf
    • https://uploads.strikinglycdn.com/files/89bea2f8-6bfc-41b6-bdaa-2194ee51c8ef/brother_hl-6180dw_printer_driver.pdf
    • https://uploads.strikinglycdn.com/files/100f46a2-96d1-4978-8232-c301abd0c2ac/99301627753.pdf
    • https://uploads.strikinglycdn.com/files/d893f8f5-ad66-467d-b7dc-765c8defa3e6/18313742040.pdf
    • https://uploads.strikinglycdn.com/files/d15ca9f7-ca37-4e18-a068-af6231a69103/what_foods_to_eat_when_cleansing.pdf
    • https://uploads.strikinglycdn.com/files/019924d1-c395-451a-9adb-df467c5bd9ee/what_happened_to_beat_the_chasers.pdf
    • https://uploads.strikinglycdn.com/files/efdf70a5-f43b-4701-83db-58e06009bd02/cowon_plenue_d.pdf
    • http://zirafefovijab.epizy.com/ancient_magic_book_osrs.pdf
    • https://uploads.strikinglycdn.com/files/c7d87a84-0c7d-4b79-b03b-3983a2d8f3aa/what_are_the_symptoms_of_high_anion_gap_metabolic_acidosis.pdf
    • https://uploads.strikinglycdn.com/files/56439b87-68af-4e18-af82-61e33797cd39/66594401184.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010db8.bin
6f9e640c1dee03f455a2ceb66dc1cbfd9dbbb5ea42e9b5140d994f2d1d963db1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DB8 5116 bytes
font_01_sfnt_off00011f34.bin
21baebb3b14560b78a6274222cc7b5ed62fc8b40b8f63fa0417f337a1bd861b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F34 13244 bytes
font_02_sfnt_off00014962.bin
12198ed304d8e74df64bcaa8a4aae6da6436d73ceeb6d758e01031f89a18fcfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14962 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.