Malicious PDF — malware analysis report

Static analysis result for SHA-256 92bbe51989b24451…

MALICIOUS

PDF

80.6 KB Created: 2021-03-28 17:07:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: da579760619e87271e05f8e8bfb07ce3 SHA-1: d45e6995b32274265edc64ac851bd8f945d9212f SHA-256: 92bbe51989b24451cd321ccb26279e099edf1089bfde44ee6f3bc6e2df7f9ef3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an external URI pointing to a URL that appears to be a lure for downloading further malicious content, disguised as 'Manorama weekly old novels pdf'. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to trick users into downloading and opening further malicious documents or executables.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=manorama+weekly+old+novels+pdf
    • https://cdn.sqhk.co/jujejorule/IQjgijy/striker_soccer_fields.pdf
    • https://cdn.sqhk.co/nufopusifa/3hbhbjc/hungry_snake_game_download.pdf
    • https://cdn-cms.f-static.net/uploads/4501996/normal_603635c8a63c9.pdf
    • https://cdn-cms.f-static.net/uploads/4392666/normal_6038559a7a31f.pdf
    • https://cdn-cms.f-static.net/uploads/4529149/normal_60152e2375e6c.pdf
    • https://cdn.sqhk.co/nowovadizeb/hdgcbib/wwe_news_and_rumors_retribution.pdf
    • http://nubigawe.22web.org/what_are_the_two_advantages_of_glycolysis.pdf
    • http://xivoxuvawet.iblogger.org/aghora_mantra_in_telugu.pdf
    • https://cdn-cms.f-static.net/uploads/4485152/normal_6041339373b4e.pdf
    • https://cdn-cms.f-static.net/uploads/4455672/normal_5fd7019cea296.pdf
    • https://static.s123-cdn-static.com/uploads/4421056/normal_5fdd3ae5ec8d5.pdf
    • http://betomererag.iblogger.org/live_life_lives_difference.pdf
    • https://cdn-cms.f-static.net/uploads/4425487/normal_605515cc67a34.pdf
    • https://cdn-cms.f-static.net/uploads/4378606/normal_603e2a46b05ed.pdf
    • https://cdn.sqhk.co/bejadelu/XSjjPgj/american_express_chat_support_jobs.pdf
    • https://static.s123-cdn-static.com/uploads/4372384/normal_5fc87f043db95.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://poberebom.epizy.com/kunebikajozevopekutab.pdf
    • http://bofurirekotiru.epizy.com/approaches_of_community_development.pdf
    • https://uploads.strikinglycdn.com/files/1bcadf54-b7a7-406b-8b91-f5859f2206df/1_kilometro_cuantos_milimetros_son.pdf
    • http://dixadenidufudu.epizy.com/yaariyan_baarish_female_version_full_song.pdf
    • https://uploads.strikinglycdn.com/files/e8e455e5-ad1b-42e3-8dcb-b9c923dd5f28/how_to_pick_background_color_in_zoom.pdf
    • https://uploads.strikinglycdn.com/files/63c64c2b-c2e0-4303-82ae-2e10554448b3/what_gpa_do_you_need_to_get_into_university_of_colorado_boulder.pdf
    • https://uploads.strikinglycdn.com/files/3f0cebcb-165a-41da-b611-e41ac1aaae0f/36503843543.pdf
    • https://uploads.strikinglycdn.com/files/27479fb9-4767-41ec-bdb6-3a6db88a237d/tebovegemowogixoxabimu.pdf
    • http://wejivuwipo.epizy.com/answer_key_eureka_math_grade_1.pdf
    • http://katutexe.epizy.com/aryavarta_chronicles_kurukshetra.pdf
    • http://nigiragesowujow.epizy.com/memimevilevum.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e547.bin
c3cc72577250c3fcbecfb54ffa1c4fb12396b1ff22b3d781ba2ea44153110608		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE547 5512 bytes
font_01_sfnt_off0000f81f.bin
eeec16e8aa7bff8de2f53e56d743ebb3143891dac2be7136243e9ced03d78a8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF81F 11572 bytes
font_02_sfnt_off00011f41.bin
532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F41 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.