Malicious PDF — malware analysis report

Static analysis result for SHA-256 91bd8f005deb581a…

MALICIOUS

PDF

117.1 KB Created: 2021-03-26 00:46:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0994acdc899954f75366e178c21222e0 SHA-1: f253285c48140679f4d76c7fcbab1b23a2e2d315 SHA-256: 91bd8f005deb581ae752ce0ab6ece4a9d26d85cc37fe5f92dcd190a9e489b70d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL, https://leonvi.ru/award?keyword=chiller+york+manual+pdf, is likely used to redirect the user to a phishing or malware distribution site. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'chiller york manual pdf', suggesting a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=chiller+york+manual+pdf
    • https://static.s123-cdn-static.com/uploads/4478946/normal_5fcda6ffd2afc.pdf
    • http://gtmedis.com/animated_ppt_template_freerokxm.pdf
    • http://crysety.xyz/35009061813hilb1.pdf
    • https://cdn-cms.f-static.net/uploads/4366995/normal_6041a9b2cf755.pdf
    • https://cdn-cms.f-static.net/uploads/4411231/normal_5fd651dd171eb.pdf
    • https://static.s123-cdn-static.com/uploads/4419820/normal_5fe15f1bc03fd.pdf
    • http://cg-designer.xyz/a_thousand_years_ringtone_for_androidpcx86.pdf
    • http://ginupedarokuxu.getenjoyment.net/siriusxm_hack_crack_2018.pdf
    • http://zosazufinur.mygamesonline.org/32937009781.pdf
    • https://static.s123-cdn-static.com/uploads/4454301/normal_5fc6abf50eff6.pdf
    • http://nenegifivujaxu.mypressonline.com/how_to_convert_to_word_doc_for_free.pdf
    • https://cdn-cms.f-static.net/uploads/4369306/normal_605892f3d4245.pdf
    • http://kapovulup.mywebcommunity.org/best_selfie_stick_for_gopro_and_iphone.pdf
    • http://nulivanofika.mygamesonline.org/jodulejemabelojarisa.pdf
    • https://cdn-cms.f-static.net/uploads/4378160/normal_6054830230cca.pdf
    • http://ridovise.sportsontheweb.net/43578151663.pdf
    • https://cdn-cms.f-static.net/uploads/4489402/normal_601b65c3198b2.pdf
    • https://cdn-cms.f-static.net/uploads/4388619/normal_603018cdbee3a.pdf
    • http://thecabinets.xyz/kufavavexizupilekoditzf049.pdf
    • http://smartbright.club/html5_rich_text_editoroairj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tososite.onlinewebshop.net/over_the_rainbow_original_singer.pdf
    • http://bemuvarewu.onlinewebshop.net/train_tatkal_reservation_form.pdf
    • https://uploads.strikinglycdn.com/files/127c171a-526c-4cb7-8e71-8d1a7d217e5b/11861975118.pdf
    • http://kuxoxokazutuv.myartsonline.com/99876281131.pdf
    • https://uploads.strikinglycdn.com/files/16c6dd2c-67c2-4d20-832b-7634b8b7cb72/redalufonajutonoke.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000187ee.bin
4d6e818759e1500fbadc5ac0e0abe3dbc722046b9becceb28bec0deb1adb22ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x187EE 5172 bytes
font_01_sfnt_off00019960.bin
578231b7ccc21c5bf96bde3c9ba45582f499893dcf1f2ff4f18e45f84a643eb5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19960 14088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.