Malicious PDF — malware analysis report

Static analysis result for SHA-256 9471bb76a0572295…

MALICIOUS

PDF

84.8 KB Created: 2021-03-12 21:18:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5dc47e46795764929b6641e07abda366 SHA-1: bd41d9a43e4fb12882e420d1ead0ee90ecfec981 SHA-256: 9471bb76a0572295075e745d7cb61bfd91e6be117da4923df672734aa9f2e949
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URL 'https://mezovuduw.ru/wix?keyword=epic+war+2+level+7' suggests a lure for a game or application, likely leading to a phishing or malware download. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a date, consistent with a generated malicious document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9955

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=epic+war+2+level+7
    • https://cdn.sqhk.co/mivufarowiwi/hbjjSby/marvel_heroes_2016_pc.pdf
    • https://cdn.sqhk.co/sarimotel/TzhcPrG/la_liste_de_schindler_livre.pdf
    • http://smilex.club/dishonored_2_keeps_crashing_pcq186l.pdf
    • http://cmbclientes.com/acog_guidelines_nutrition_during_pregnancytjtsh.pdf
    • http://vejinow.22web.org/play_store_pending_terus.pdf
    • https://cdn.sqhk.co/wexunaveb/gigcGL6/96760373327.pdf
    • https://cdn.sqhk.co/valujoper/hbMjhih/virudiwidod.pdf
    • http://sendgrid-de.com/76383962998u3pjw.pdf
    • http://medebux.22web.org/32450333676.pdf
    • https://kavosoxevab.weebly.com/uploads/1/3/0/8/130874108/a0681d2bc570d82.pdf
    • http://xomuxeje.22web.org/brothers_telugu_movie_songs_320kbps.pdf
    • http://servisvds.ru/10977706429p08bp.pdf
    • http://akvatehnika74.ru/definition_of_protected_health_information_45_cfrnmlwn.pdf
    • https://cdn.sqhk.co/gesokusa/jijhdgd/sonic_4_episode_2_apk_download_android_game.pdf
    • http://shtancircul.site/sat_vocab_list_4_quizlet094e2.pdf
    • http://discount50it.pro/43779191796cbfzd.pdf
    • http://immortal-sho.club/11165877584jzrky.pdf
    • https://liwifaxuje.weebly.com/uploads/1/3/0/8/130874244/4859039.pdf
    • http://kamaz-ftc.com/6466257223v4dtn.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://45e41439-46a4-4c97-84f0-155cfeda4cef.filesusr.com/ugd/9d7ad9_23f97d4e1770494ebce64fe8ca03f35e.pdf?index=true
    • http://fudogupadi.rf.gd/zimowuvuwisapokimotum.pdf
    • https://6d428a25-da86-44fa-8f13-5b0f09742281.filesusr.com/ugd/3649d2_f1742e991fcb4181a201e548f7e3ecb9.pdf?index=true
    • https://bdee3e82-1fe6-4084-b289-f15f5249f83e.filesusr.com/ugd/749937_817de6bf493c43a4b9db9d036de3fcf8.pdf?index=true
    • http://poxemibusap.epizy.com/tameguzozubodizideribo.pdf
    • https://5548a280-a194-4776-8019-0e256783c1fa.filesusr.com/ugd/f2c1dc_abe7689095364498a1d628aad17c41fb.pdf?index=true
    • https://645c32c3-7e99-4959-b93b-7980205539d7.filesusr.com/ugd/30a31c_b8ac24b2b6d446339ed56fddcdcb094d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000103e3.bin
96f74d878bbc5b70fd61304b389a9ee9fa9e92899bbe9cfcad57098b920f1f49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103E3 4564 bytes
font_01_sfnt_off00011387.bin
d8d3fa3cb7c82fa6fed4a20f33f773463254b9ecdaacb71d63d3ad70fb1fbbaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11387 10580 bytes
font_02_sfnt_off000137ac.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137AC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.