Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ea86ef40f51ef9d…

MALICIOUS

PDF

221.1 KB Created: 2021-04-07 16:26:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4f71a9d1dad25759f256a21462596aef SHA-1: 73e28314b2fd8b2c202e8dde4395d71df947fe01 SHA-256: 8ea86ef40f51ef9da2c5eb6873a38242b6160515463258a8d444ec2930e356ad
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URL that leads to a malicious domain, identified by ClamAV and ML classifiers as malicious. The document body, though heavily obfuscated, appears to contain text related to the URL's query parameter, suggesting a lure. The presence of an external URI points towards a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9896

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=the+drunkard%25E2%2580%2599s+walk+how+randomness+rules+our+lives
    • http://bamimutekinawaz.22web.org/bilinear_transformation_transfer_function.pdf
    • https://ligibodi.weebly.com/uploads/1/3/4/4/134469997/joburun.pdf
    • https://bofazereb.weebly.com/uploads/1/3/4/6/134675062/8205991.pdf
    • http://punavuvipufov.sportsontheweb.net/time_driven_activity_based_costing_kaplan.pdf
    • http://turiwovezaz.iblogger.org/74655419094.pdf
    • https://cdn.sqhk.co/pakebisas/oXeqYgb/wazivebaseganarivejik.pdf
    • http://ruguwafe.scienceontheweb.net/how_to_ignore_a_guy_on_social_media.pdf
    • https://mabunamu.weebly.com/uploads/1/3/4/9/134902385/musebereluku.pdf
    • https://zowadadevifu.weebly.com/uploads/1/3/4/5/134597758/femusarakuda-kalez-ronowoba.pdf
    • https://gifukupuwabe.weebly.com/uploads/1/3/0/7/130775529/zotok-godejotozoliwo-fudidawimowuza.pdf
    • https://cdn.sqhk.co/bebumila/UigeoxT/ios_human_interface_guidelines_icons.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/57a31074-6ccf-44b8-a9bd-ab3b7995dbc5/92766212482.pdf
    • https://781b76d0-895c-4d4e-90f3-491762fad171.filesusr.com/ugd/894952_2409296a530c415d90f3a1027cf45b8d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ae2d719a-7c24-4750-9341-ab263ecf2b0d/71160698569.pdf
    • https://78636f1b-f2d6-4e4a-b4e1-07eac4c165d1.filesusr.com/ugd/434c97_1504014f800f4754853c25a49b77640e.pdf?index=true
    • http://zugodelojuj.epizy.com/concrete_countertop_bullnose_edge_forms.pdf
    • https://uploads.strikinglycdn.com/files/23dca5e1-9809-403f-85f3-abcf830dc8e9/jamulinesegope.pdf
    • http://xamipekuxedatif.rf.gd/rocket_league_cross_platform_xbox_pc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000f31b.bin
647c8c8310fbc5f54245e0dd13c9ec1af96ca0a756d88b6f05a1151701ebcd54		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF31B 182588 bytes
font_01_sfnt_off0003095e.bin
a733a0649112ec0b55ec591ca19a67c017d48778febed03d39001acf5c30ce76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3095E 5084 bytes
font_02_sfnt_off00031a87.bin
0a49d27b3baba395c94c00b4b8cece58cfd7e094a65914ed1473c05b704f1163		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31A87 10728 bytes
font_03_sfnt_off00033f90.bin
54c36977565edeb78454e6cea45db71f6cedc97b3be2326d94f266f72707cec5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33F90 16232 bytes
font_04_sfnt_off000354f5.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x354F5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.