Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c16c6c9d691b0f0…

MALICIOUS

PDF

82.1 KB Created: 2021-03-20 12:56:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1c8f3ab39a89eac8ed2ce76ca7f0628 SHA-1: d55124f33c46ada5b07438e01e6c4f20cbb9a0e7 SHA-256: 8c16c6c9d691b0f0f5c024f595e3428a727fc50dfcd95eb26ce41bd68e654872
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely intended to redirect the user to a malicious site. No scripts were extracted, but the presence of the URI and the detection signatures suggest a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9946

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/wix?keyword=gwas+y+neidr+translation
    • https://cdn-cms.f-static.net/uploads/4365551/normal_5fdc68c1c29eb.pdf
    • http://buwubaled.mywebcommunity.org/baldomero_lillo_la_compuerta_numero_12.pdf
    • https://vatopefo.weebly.com/uploads/1/3/1/3/131398509/2325055.pdf
    • https://cdn-cms.f-static.net/uploads/4381101/normal_5fdc45a774110.pdf
    • https://cdn-cms.f-static.net/uploads/4385417/normal_603ab7932d2f3.pdf
    • https://static.s123-cdn-static.com/uploads/4427526/normal_5feb4cedbe1d1.pdf
    • http://dajexori.mypressonline.com/landscape_architecture_design_books.pdf
    • http://mobile-media.moscow/troy_bilt_tb230_oil_type1qfn8.pdf
    • https://mufajagirudul.weebly.com/uploads/1/3/1/4/131452858/02b43357.pdf
    • https://zexerimapepu.weebly.com/uploads/1/3/2/6/132681444/1698177.pdf
    • http://zoneeuro.pro/750516996452uif4.pdf
    • https://fukusegoboviv.weebly.com/uploads/1/3/1/8/131856281/3be2bcfc3.pdf
    • http://bionatur.space/383645128ll0o5.pdf
    • https://tusejefil.weebly.com/uploads/1/3/4/3/134320171/e84d6.pdf
    • https://cdn-cms.f-static.net/uploads/4378157/normal_604cdcfcc5822.pdf
    • http://chebsvet.ru/cancion_de_selena_la_carcacha_con_letrawvsln.pdf
    • http://changepass.online/fios_router_installation_guidej7n3h.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://68e1e3d4-268d-49bc-a8aa-b119cb10fea7.filesusr.com/ugd/3ceeb9_64f12c65c6be4618b24ded198551f1d1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b3dbe1b5-5ab0-4fda-a82e-ed5abd4aa8f9/1762302514.pdf
    • https://7d6e376e-1ee3-4df5-88c1-8d1511d419f8.filesusr.com/ugd/7dd30d_7118f8bba8a9446ebe96448ee5d1be17.pdf?index=true
    • http://sizemogigu.myartsonline.com/58808995750.pdf
    • https://uploads.strikinglycdn.com/files/e37605aa-1e12-4e73-8998-d92b074d9494/a_lesson_before_dying_sparknotes_chapter_1.pdf
    • https://uploads.strikinglycdn.com/files/d5e698f2-5fd9-4503-b90f-925338e3ff9a/91670209828.pdf
    • https://5fdaa9e0-ad6d-443b-8779-beb8e45026dc.filesusr.com/ugd/05301a_067ae4eb55ad4411bb07df9ba24c3dc0.pdf?index=true
    • http://jeborawaleko.atwebpages.com/biochemistry_project_topics.pdf
    • http://kilarosine.atwebpages.com/anatomy_and_physiology_lecture_notes_powerpoint.pdf
    • https://1cdd1dcb-54a5-4750-95ad-c4cce9a68cd1.filesusr.com/ugd/1e32c2_9e6dcf65295947c8a1b1e57d23bdfc47.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c72d647d-4bde-41c2-9cde-c0e282532506/97397180232.pdf
    • https://uploads.strikinglycdn.com/files/a600a0ca-2a7b-426d-95ed-081864e3c7e0/polygon_and_angles_worksheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7bb.bin
a8a033cc992605f26bf528bd2ec8305387d486afb3a517386550b4aae08d34c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7BB 4832 bytes
font_01_sfnt_off00010843.bin
1210a791aeef4e265c5300709052762114a029fddbc1459a445a087c3e759c15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10843 10596 bytes
font_02_sfnt_off00012c5e.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C5E 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.