Malicious PDF — malware analysis report

Static analysis result for SHA-256 90b7af450469504d…

MALICIOUS

PDF

82.6 KB Created: 2021-07-22 00:54:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: b7d65b2e97134ca804ce776dd5397e0d SHA-1: 3bb0c41f3769a9bd53ac43da15659496a6fd1815 SHA-256: 90b7af450469504db73458c03ad9de7a07b17def4218554bceb1f6ab52fde1d6
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF with a high ML classifier score and a ClamAV detection for 'Pdf.Phishing.Trojan'. It contains an embedded URL pointing to 'nomylo.ru', which is likely used to deliver a malicious payload or conduct phishing. No scripts were extracted, but the PDF structure and embedded URI are strong indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/square?utm_term=nouns+ending+in+x
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ee12eb2a4cda17625ae556/1626215148291/love_actually_bloopers.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f3981e32548145d78df724/1626576926128/wexirakazowezogage.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f8906fc339af15f88b7a60/1626902639453/relation_between_frequency_and_kinetic_energy.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f628ec357ac3162229d904/1626745068232/85260970960.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f88dc6aa10666fbee25ec8/1626901958925/80380356796.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ee322884a0477e84aa7fcc/1626223144081/fundamentals_of_human_physiology_sherwood_free_download.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f892cc28485f07d42b801c/1626903244219/tomato_galette_with_puff_pastry.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f04c1c166c7e6eb053cc31/1626360860511/signs_and_symptoms_of_hypercalcaemia.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60eda4728d40d36f008494f4/1626186866279/89047554352.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f8527c2a86e44a1ce8f406/1626886780038/discharge_note_physical_therapy.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f851a9ae6a2d324b73b259/1626886569528/74911315134.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60f515199c7c9f0ea9af5d47/1626674457579/57512578096.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f0576f0d9e4679a05a0d91/1626363759192/zuzobaxogused.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f7874953df297156b1fc2d/1626834761579/mupakarejorasugi.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f88d5515b3010569c61583/1626901845518/different_types_of_connectives_ks2.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60edcef4c450ee47307d278f/1626197748766/rose_and_the_petal_pushers.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0dc.bin
1bc501fa63a9f71084fa1c0e5377dd3610b82f4fac394f31b08f79586821cb66		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0DC 10196 bytes
font_01_sfnt_off0000f79c.bin
2cd11a7812171be7d598e1de0be7f274e02c65624ab718ea0921a809a7a61b45		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF79C 17300 bytes
font_02_sfnt_off0001248f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1248F 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.