Malicious PDF — malware analysis report

Static analysis result for SHA-256 94f1b5d1cd5c0ad2…

MALICIOUS

PDF

205.7 KB Created: 2021-05-16 15:32:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 8ea933c1e38e76788794ee1bf8134d48 SHA-1: 2f568d3c9ec99b7ab9dd64aaf5b1fdc861175d26 SHA-256: 94f1b5d1cd5c0ad2def0f6c0598f8eb68f40d533f380455ce38820b1b2024002
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, identified as malicious by ClamAV and an ML classifier. The document body, though heavily obfuscated, suggests a lure related to a product review. The presence of multiple external URLs indicates an attempt to redirect the user to potentially malicious content, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9710

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=beeman+sportsman+rs2+series+review PDF link annotation
    • https://revogofoti.weebly.com/uploads/1/3/3/9/133999152/4011223.pdfIn PDF document text
    • https://loxoxonejuk.weebly.com/uploads/1/3/4/6/134684666/zoveti-xinalapivoziz-menegadu-rijaneragiv.pdfIn PDF document text
    • https://cdn.sqhk.co/rixutixim/zjcpozj/ant_city_game.pdfIn PDF document text
    • https://cdn.sqhk.co/gotofebelu/LwVgfig/ultimate_galactic_conquest_mod.pdfIn PDF document text
    • http://zakofuta.66ghz.com/las_capitulaciones_de_santa_fe.pdfIn PDF document text
    • https://cdn.sqhk.co/jekefebiba/hcihEic/amazon_go_jobs_near_me.pdfIn PDF document text
    • https://varovugunigode.weebly.com/uploads/1/3/4/4/134480676/9082570.pdfIn PDF document text
    • https://pulezigo.weebly.com/uploads/1/3/4/6/134600697/jeloxuxakuto-rimume-vewilesuwigunag.pdfIn PDF document text
    • https://cdn.sqhk.co/pikikunifav/Ls1icha/boris_cyrulnik_resilience.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://jixenefotudak.epizy.com/array_programs_in_php.pdfIn PDF document text
    • https://s3.amazonaws.com/lusabifef/zabofarilikajav.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ff06dc72-46ef-4410-b80a-809a7337a14e/what_was_the_main_goal_of_the_congressional_reconstruction.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a6dfa7a3-60f5-471e-b65b-8a6f90a2e0d5/carusos_15_day_detox_eating_plan.pdfIn PDF document text
    • https://s3.amazonaws.com/fusopoxipo/losurefixefinobomodavofi.pdfIn PDF document text
    • http://borosiker.rf.gd/free_activity_worksheets_for_3_year_olds.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9a90082e-a169-4304-a34d-dc3bd69847fc/crosley_record_player.pdfIn PDF document text
    • https://89e38ec3-4f9a-4901-8333-056bfd5bbc5c.filesusr.com/ugd/3df7a3_e59caca2d2bf440ebf5ddc6fd77a7b84.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/gomaxod/nibirovakirujat.pdfIn PDF document text
    • http://parejibeve.epizy.com/business_model_generation_osterwalder_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45d91085-09e5-45be-8c94-6fb493806914/komugoxulobazi.pdfIn PDF document text
    • https://aa514bbb-a96e-4bc9-8ff3-0ca2edd1104f.filesusr.com/ugd/3fc21f_00847a299c9d4cf9b838559a8d41a628.pdf?index=trueIn PDF document text
    • https://9907981b-0bc7-4fd3-a434-169f7cdadf42.filesusr.com/ugd/575363_680ec528bcf54b3082326f6ba2995b1e.pdf?index=trueIn PDF document text
    • https://7fd4abad-31f8-4c52-ae8e-93d0cc7f2af2.filesusr.com/ugd/910e70_74a75910661b4ede9922fe673f633e5e.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/lekizopiloref/how_to_set_ge_digital_timer_15079.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002e33a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E33A 5268 bytes
SHA-256: d5e9dd5832fcdf906d37b7a5cf343ae257d6055bf3bb960df314218202f53cab
font_01_sfnt_off0002f512.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F512 2344 bytes
SHA-256: 3710f46d2f908ede9c06af5dbb255e08808dbbafc4bec95595eaa4b3b3bd2136
font_02_sfnt_off0002ff7b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2FF7B 12080 bytes
SHA-256: e6d75b7610e41bce213860a66b5f6bd8ea4a196cb2f61c756621d27737098a2f