Malicious PDF — malware analysis report

Static analysis result for SHA-256 91a1d83e292bfca7…

MALICIOUS

PDF

73.3 KB Created: 2021-05-03 10:53:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c82a6acd1b5b837e28b88d6d0a8e88c SHA-1: db51336713b6773a8b19e26442175de3a6ae0c9d SHA-256: 91a1d83e292bfca7b022c2daad7ba88b40ef13b29174f0898a38afd9477e59d6
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL points to a PDF file hosted on a potentially compromised website, suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains references to 'manual archive outlook 2013 not working', likely a lure to entice users to open the malicious PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/160708258a74e4---xazozujaxotagaka.pdf
    • http://makaifruits.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ac77d7b156---teporavaxejalekadukok.pdf
    • https://www.swx.global/wp-content/plugins/super-forms/uploads/php/files/90886a3b6041839a274725deeaa8d1ca/38563783927.pdf
    • https://brusroom.com/wp-content/plugins/super-forms/uploads/php/files/7dfde16530cb10271e80c13a4a7b2ca8/31465093101.pdf
    • http://adanateknikservis.web.tr/wp-content/plugins/formcraft/file-upload/server/content/files/16077334b82408---49006408409.pdf
    • https://www.acetechnology.co.in/wp-content/plugins/super-forms/uploads/php/files/gn55qqrcmaidldu7ffkrpmd43t/maferonadowizig.pdf
    • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/16079a89fb4dab---29754680427.pdf
    • https://teenvolunteerdallas.org/wp-content/plugins/super-forms/uploads/php/files/a2d5ed36e833916f16e7dbe0b04c0051/magufomitetezim.pdf
    • https://www.yoursurveysurveyors.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608a3c0713dfd---fejumebozoru.pdf
    • https://www.heracles-hotel.eu/wp-content/plugins/super-forms/uploads/php/files/ej15dqeokol8vv4edd9g2njc9n/14533181098.pdf
    • http://iwish-cosmetics.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cd673f33e5---vunejalapunufuwirajuvupak.pdf
    • https://spazmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607de47aa1fa2---sadidalilanilepim.pdf
    • http://www.goldenlantern.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160838ea8294dc---wiredeva.pdf
    • https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/losmnu2emo2fonnlisu9idkfc5/xetidugitexezime.pdf
    • https://alignerco.com/wp-content/plugins/super-forms/uploads/php/files/d57af3e16786359218b0b6db9690ae9d/8737084548.pdf
    • https://fjordancv.info/wp-content/plugins/super-forms/uploads/php/files/116f2ec3d141789e45a95ce7d8776048/16942974173.pdf
    • https://bf-pomosch.ru/wp-content/plugins/super-forms/uploads/php/files/au0o3d6nhkhk5abpsrvuqk74c0/xuwidifofatup.pdf
    • http://herodumpsterrental.com/wp-content/plugins/super-forms/uploads/php/files/366b1412c201c5c8312e7d7a6808b511/54939743978.pdf
    • https://studio-september.com/wp-content/plugins/super-forms/uploads/php/files/667ace39c61c9c3bc3868cf32bb3896f/98727579722.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=manual+archive+outlook+2013+not+working
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df9c.bin
db478216169df321ea955183b8ff52606de7398dec4058458842183d791b0bad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF9C 5592 bytes
font_01_sfnt_off0000f2cd.bin
1dc6ca76599a4789a81969faadff1d53dc7b484648202d4366b7134837548d18		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2CD 10904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.