Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f10c1361f6aed05…

MALICIOUS

PDF

219.5 KB Created: 2021-04-01 22:53:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: aa98a1916cfdb3606215fcd20c5414c7 SHA-1: c5fb8b69e1a374acae6ab691217afa23f8d13dea SHA-256: 8f10c1361f6aed0565f63906a6c4b4e9ba37a9fa75770538832c3ad0a0ff1fcf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to 'seumenha.ru', which is suspicious and likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to 'psychology pdf'. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9910

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=define+psychology+pdf PDF link annotation
    • https://cdn.sqhk.co/pesuxigu/jG7JTaY/vintage_toyota_race_car.pdfIn PDF document text
    • http://crysety.xyz/5702651933y79uk.pdfIn PDF document text
    • http://firstsecu-paypal.com/sebijawenerili6xyq.pdfIn PDF document text
    • https://cdn.sqhk.co/gidulikegel/hc6igFp/58365614155.pdfIn PDF document text
    • http://leyloften.online/best_2d_performance_video_carddq3mx.pdfIn PDF document text
    • https://nudadisaxoge.weebly.com/uploads/1/3/4/0/134018155/zotuzipasoz_memoparefexusu.pdfIn PDF document text
    • https://fasukawoj.weebly.com/uploads/1/3/1/4/131453618/578e76d6b82.pdfIn PDF document text
    • https://cdn.sqhk.co/pufowuvikij/jRlgehf/kings_barbershop_near_me.pdfIn PDF document text
    • https://juvarefuj.weebly.com/uploads/1/3/1/3/131398009/4784268.pdfIn PDF document text
    • http://onlineeshop24.xyz/levis_jeans_uk_size_guide52pw6.pdfIn PDF document text
    • https://japafapu.weebly.com/uploads/1/3/1/4/131437770/bamoregegizarodel.pdfIn PDF document text
    • http://abouts.space/english_to_thai_alphabet_translation3yw9e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0a96605-8b77-4b10-91d2-ac085efd2db6/wufimaxowusomute.pdfIn PDF document text
    • https://1ba6f066-89d4-4445-b8a9-08a6de046ef2.filesusr.com/ugd/d40554_190c3b6fd879457283e89f818cc47f98.pdf?index=trueIn PDF document text
    • https://eecb1da5-82b7-48ef-90e5-6a20895c07e7.filesusr.com/ugd/88a84f_dc09968921e5429b95ce629e406f455d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/883c22b4-a2f8-4050-bc45-87c350b24c52/38410062449.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/55091b61-0af9-48e6-afa2-f46a2d7a263a/76832285176.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/645502f0-ebf4-4ac0-8c42-02ca05991e92/what_is_the_best_free_audio_recording_software.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/811cc340-e2c2-4534-a36b-4dd1af0fefac/how_to_do_day_trading_without_25k.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c789e9fd-1d48-4c4c-9258-bd7eaa162562/hp_p2035_printer_repair.pdfIn PDF document text
    • https://0ea28b16-58c2-472d-b6be-3e97fe9b7bb6.filesusr.com/ugd/696b8a_d8768d02b39c41c386b44fc18cca410a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/b63fa347-cb51-44f5-96eb-24fe71ff73a9/brother_xr9500prw_sewing_machine_price.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8a58b5da-eaf8-4a08-8c21-593d1bc3d33e/beats_solo_2_wireless_headphones.pdfIn PDF document text
    • https://13fad4bf-7224-44b3-802b-16842e97d241.filesusr.com/ugd/b14664_fa0fc26121e74eedb97983db5faa030f.pdf?index=trueIn PDF document text
    • https://cb8582fb-ab29-4f13-bfd4-623ca244ab52.filesusr.com/ugd/d61b30_795213932438469992f21f3e2bccc9f7.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/7a0f2f56-ed89-476f-a886-a1e22aff7607/85865607487.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/67d28aa3-5456-4f20-a978-61ceffdd328d/how_to_write_an_advertisement_analysis.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00031c46.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x31C46 5212 bytes
SHA-256: 0c8a78558871022e6dc860b9fb49ecca205b2d99a540eaae1aeac7e3099257c9
font_01_sfnt_off00032e1b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32E1B 15520 bytes
SHA-256: 1abc53b38f51da232f5db38e5488d9c8f9af263ed42cda5fe85e3d64c643e74f