Malicious PDF — malware analysis report

Static analysis result for SHA-256 92f9513a016c02db…

MALICIOUS

PDF

76.3 KB Created: 2021-03-20 08:11:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 738067d60bc8edf764eea2e3dd395b87 SHA-1: d17f4fc762456ea052fb14eab04e4f5d9f829890 SHA-256: 92f9513a016c02db5466a0c880aeeadab90a4a8a72f94885d9fda364a8784669
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, 'seumenha.ru', which is likely used to host a phishing page or a further stage of the attack. The document body, though heavily obfuscated, appears to be a lure related to 'Epic of Sundiata sparknotes'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=epic+of+sundiata+sparknotes
    • https://static.s123-cdn-static.com/uploads/4460983/normal_5fdfd2fde31d6.pdf
    • https://cdn-cms.f-static.net/uploads/4377380/normal_600a52927678b.pdf
    • https://cdn-cms.f-static.net/uploads/4446275/normal_5fe744b04583f.pdf
    • https://mulomaninivoxom.weebly.com/uploads/1/3/1/4/131437045/ropazasudu_dupobuzarorebav.pdf
    • https://static.s123-cdn-static.com/uploads/4388842/normal_5fedb8af0dc7a.pdf
    • https://cdn-cms.f-static.net/uploads/4470231/normal_60158a9622b26.pdf
    • https://static.s123-cdn-static.com/uploads/4418565/normal_5fdff79c72c0c.pdf
    • https://cdn-cms.f-static.net/uploads/4375509/normal_601ec21e40e2b.pdf
    • https://cdn-cms.f-static.net/uploads/4450156/normal_602b6cf14b62f.pdf
    • https://pudoxarunisit.weebly.com/uploads/1/3/1/1/131164251/1578c87.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/28a1b178-9f44-4f6d-b469-d97f91d36443/rimetosibijuxubevezotot.pdf
    • https://s3.amazonaws.com/zevutebulaworel/what_is_the_value_of_cos_180_in_fraction.pdf
    • https://s3.amazonaws.com/runuzitexokol/uel_direct_absence_form.pdf
    • https://s3.amazonaws.com/tobito/catcher_in_the_rye_soundtrack_project.pdf
    • https://da550aaf-34ae-4f9b-ad82-7836b82beebe.filesusr.com/ugd/a203e6_d9b4c2f73f00424bac7bb07b81e0698c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1fabad7b-5ea7-4008-8e36-7902715ec8fd/oppo_bdp-103d_manual.pdf
    • https://e4fb9bf1-a3d6-4767-9bf2-2a1021e5dc09.filesusr.com/ugd/53cfc7_3c1a64756c2c438395595c2dc63289ba.pdf?index=true
    • https://a8a2d6b8-6248-42a0-90a4-e25e421c2e59.filesusr.com/ugd/f63f29_26d8587c896444d5837b4cbaf64999f7.pdf?index=true
    • https://s3.amazonaws.com/tonisefoteka/ejercicios_resueltos_funciones_trigonometricas.pdf
    • https://cceb078e-1df6-42b0-9e12-359f30e42f1d.filesusr.com/ugd/e8506d_9a213dd26ef743109d96fdc1fdda0764.pdf?index=true
    • https://uploads.strikinglycdn.com/files/151e6b0f-ca5b-4a58-9fb3-4b9cc231e769/drinkwell_platinum_pet_fountain_manual.pdf
    • https://uploads.strikinglycdn.com/files/2c67c57f-137e-4aba-9969-3bdb9a4660cd/how_to_install_cracked_minecraft_on_linux.pdf
    • https://uploads.strikinglycdn.com/files/074be4b8-3a12-4267-b677-89e18ef94b62/acca_jobs_in_uk_for_indian.pdf
    • https://e6c529cc-411f-4195-b5ea-7b5fd081490a.filesusr.com/ugd/b7ab08_480fc564495d4be4abfa333d52793f3b.pdf?index=true
    • https://s3.amazonaws.com/fotojipifuzitul/what_are_the_types_of_fractures.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f0fe.bin
f06aaf8526d3b11d8f125390a3e62b3e338fa79d43bb672b464857f7f72e9596		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0FE 5140 bytes
font_01_sfnt_off00010294.bin
f4e6e4f6f2449d89907f50164df66a234cca77eb0ab76e76d5583ce8dd82ee49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10294 9864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.