Malicious PDF — malware analysis report

Static analysis result for SHA-256 9006bc15b4f27edf…

MALICIOUS

PDF

87.0 KB Created: 2021-04-08 00:35:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 51d6036f151e23c1c503cc090c67c744 SHA-1: 211c67eff80c7e2b62f4819a65a6d3a131a14f46 SHA-256: 9006bc15b4f27edf30a433f5137b4f37593120ccf83fa30883872377985ea537
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is a PDF that contains an embedded URI pointing to a suspicious domain, and it was flagged by a machine learning classifier and ClamAV as malicious. The presence of a 'download button' heuristic suggests a social engineering lure to trick the user into downloading a payload. The primary IOC is the external URI used for potential payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=bar+chair+cad+block+free
    • http://kufejat.sportsontheweb.net/35809128427.pdf
    • http://selizixid.iblogger.org/zuvusetidinowol.pdf
    • http://xojopimo.22web.org/pupovojewevesomenikutebiz.pdf
    • http://koparikamoze.scienceontheweb.net/ielts_speaking_marking_sheet.pdf
    • http://aicberg.net/definition_of_operations_researchlz71w.pdf
    • http://rasipafus.getenjoyment.net/bejameko.pdf
    • http://visunuduxat.mypressonline.com/63821610156.pdf
    • http://qrettalq.online/zolovifey64tv.pdf
    • http://erethiztzj.space/suritivupiwefowu4e9w6.pdf
    • http://theandyhong.com/how_to_open_honeywell_thermostat_to_replace_batterysnjkr.pdf
    • http://banquepopulaire-fr.org/behringer_xenyx_1202fx_-_12_channel_audio_mixer_with_effects_processoruhilf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fotopokidag.epizy.com/chemical_and_catalytic_reaction_engineering.pdf
    • https://ee42ee57-4547-4a8c-8a66-6cccb7f6869d.filesusr.com/ugd/2a9ad2_9351ceb9ec6242ac8d26639bcddfb27d.pdf?index=true
    • http://gujavez.rf.gd/mepiw.pdf
    • https://5c2df1de-05ea-4e17-9aa3-38adc7ce3153.filesusr.com/ugd/ddd609_c30b24d53e9c472c9a06216ab9dc8d64.pdf?index=true
    • http://vapepojova.epizy.com/jonuzudokibavaburuwo.pdf
    • http://womawujun.atwebpages.com/19357220532.pdf
    • http://weponigonimogo.myartsonline.com/bibiliya_yera_download.pdf
    • https://uploads.strikinglycdn.com/files/89ef5621-d96b-4158-b893-b827a0f47460/37916769706.pdf
    • https://uploads.strikinglycdn.com/files/26bf3824-d759-4eca-93b9-125fb2df70a3/general_biology_college_textbook.pdf
    • https://uploads.strikinglycdn.com/files/b92a7f42-51dc-4126-be0b-2f580dcd6f45/73185278093.pdf
    • https://uploads.strikinglycdn.com/files/5c056d54-7a91-4e17-81b0-4517b53ebb7c/corporate_social_responsibility_conflict_between_shareholders.pdf
    • https://uploads.strikinglycdn.com/files/384ad2c1-22fb-4f6f-8b36-ea63dea25b47/73719705055.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e70a.bin
6bda126c33b5979bbc06e6109a795d6610aff0b6ce9c96d484ab05e27223bf5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE70A 4784 bytes
font_01_sfnt_off0000f74f.bin
a5f40fb7f5e419917c03649deab6974af87b35dd119753ad4ed545500495e849		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF74F 3120 bytes
font_02_sfnt_off0001049a.bin
7d8fa66b5a54d9a6e3414c141289c1de92e944c7e24f6c78c4893d081714b3f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1049A 11520 bytes
font_03_sfnt_off00012ac1.bin
ea75db71c9df7250347a03039f742fcd189f5fc3f08964e696816fa8b5227073		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AC1 16092 bytes
font_04_sfnt_off00013f89.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F89 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.