Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f62e998ef0b0d18…

MALICIOUS

PDF

68.8 KB Created: 2021-03-21 00:26:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2714dd39b4ed02ee6baef15b68e71271 SHA-1: 17c45482ca3922a4d0ff9551b6cef690c3a06c00 SHA-256: 8f62e998ef0b0d18e178e785fa656c036e2cd2fb03aeba27bfa4637f9a816259
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. The document body, though heavily obfuscated, appears to be related to the URL's keyword, suggesting a lure to trick users into visiting the malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=worthy+is+the+lamb+chords+g+pdf
    • https://static.s123-cdn-static.com/uploads/4421039/normal_5ff6845ea2851.pdf
    • https://cdn-cms.f-static.net/uploads/4379491/normal_6049c2499bb69.pdf
    • http://xegazinijitup.mywebcommunity.org/47976390869.pdf
    • https://static.s123-cdn-static.com/uploads/4366348/normal_5ffbf873e801a.pdf
    • http://xuzerujagojagip.scienceontheweb.net/dell_precision_t5500_motherboard_form_factor.pdf
    • http://tonedomopoja.scienceontheweb.net/76392493378.pdf
    • https://cdn-cms.f-static.net/uploads/4496360/normal_6037db656fe39.pdf
    • https://nowagomasililub.weebly.com/uploads/1/3/0/7/130775830/0c1350f79501.pdf
    • https://bakubirusi.weebly.com/uploads/1/3/4/6/134680497/duduvezofuliva.pdf
    • https://cdn-cms.f-static.net/uploads/4382781/normal_6011dec63f8a2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://6674166f-eb58-46b1-9d38-a528bc95e02c.filesusr.com/ugd/e38d8e_bfd4f1c0a09c4ce5afb41041dc44b940.pdf?index=true
    • https://s3.amazonaws.com/kovezodepugov/google_spreadsheet_if_contains_text.pdf
    • https://9afb1793-bc57-4514-bb46-74e980466609.filesusr.com/ugd/11f207_0fea0218f7ec43a187951e03cb8a7a92.pdf?index=true
    • http://fubavinexazixo.onlinewebshop.net/simple_and_clean_piano_sheet_music.pdf
    • https://s3.amazonaws.com/desenaz/40944435947.pdf
    • https://d9c73feb-c945-4d97-9d44-ff62a4b57c47.filesusr.com/ugd/12056e_f9800a4c6cda44d19ed8ca42b669e25b.pdf?index=true
    • http://telifujovemevo.atwebpages.com/manual_teclado_yamaha_dgx_660.pdf
    • https://07d68bf2-0661-47e2-9ffe-eae068a071af.filesusr.com/ugd/fef806_cb303d3481b84d3abe41fbe957af051d.pdf?index=true
    • https://dedb376b-efc3-4528-ac10-fc65d12f866c.filesusr.com/ugd/5f6074_d79c266c65874535b6f5fe9a5d0df5b1.pdf?index=true
    • https://s3.amazonaws.com/pulujolatepuv/92557237725.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce71.bin
9618ea3c491d3c282d3744feec7b4528147b094043c3f8e75ffe7df74a8af7e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE71 5824 bytes
font_01_sfnt_off0000e22e.bin
41bb9d247ac368479e48390c7259e7263101098afaf94dc52cae60be3a6632a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE22E 10000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.