Malicious PDF — malware analysis report

Static analysis result for SHA-256 9631b8e054cdb1eb…

MALICIOUS

PDF

120.8 KB Created: 2021-03-11 21:02:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c1794b825f88650617101c2edb7fef3d SHA-1: 141059b85e73519cbd2739b9deab7b9a5e518604 SHA-256: 9631b8e054cdb1eb2e4b98776082758d86ae3e92ae9b63e68a70cd30b4d82916
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing lure. The document body, though heavily obfuscated, suggests a theme of 'feasibility study free powerpoint template', indicating a social engineering attempt to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=feasibility+study+free+powerpoint+template
    • https://gukudobubutagen.weebly.com/uploads/1/3/5/3/135306914/nonajikames_wojunuwat.pdf
    • http://fezatubiwe.getenjoyment.net/41586547008.pdf
    • http://tujemet.scienceontheweb.net/71524154035.pdf
    • https://natumelazorog.weebly.com/uploads/1/3/4/7/134711419/4959631.pdf
    • http://giwapozolaleg.mypressonline.com/nipusifazex.pdf
    • https://fawurefo.weebly.com/uploads/1/3/4/4/134441885/1eb62ca68845.pdf
    • http://nepoxiduvilej.scienceontheweb.net/jagavezededuvipebor.pdf
    • http://wisatemubudu.medianewsonline.com/english_learning_books_in_tamil.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://napepezubebefiw.epizy.com/backtrack_4_free_64_bit.pdf
    • https://uploads.strikinglycdn.com/files/d1a467b3-d654-45c6-8a47-32ed47552c6b/star_trek_voyager_endgame_script.pdf
    • http://namasabelugag.epizy.com/65725002722.pdf
    • http://xibubew.epizy.com/goxagurisugodepezukovona.pdf
    • http://wiwosotu.myartsonline.com/97995686858.pdf
    • https://uploads.strikinglycdn.com/files/50a5d922-00cd-43ce-908d-56a2a1ca7260/average_mechanical_engineer_salary_in_us.pdf
    • http://jedovimesize.epizy.com/suunto_ambit_2s_watch_strap.pdf
    • http://dolifusekaxug.epizy.com/riwezadodide.pdf
    • http://bovuzigaratufob.rf.gd/abp_weddings_apk.pdf
    • http://nabulegewuwal.myartsonline.com/apache_jmeter_user_manual_download.pdf
    • http://ranuvurimokolow.rf.gd/chuyn_sang_jpg_free.pdf
    • http://sonisan.epizy.com/lenovo_t420_processor_socket.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00018757.bin
26afeeb279203d45a993871a47a3b01a88399703cc9958b25c7d3aa0cda572a3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18757 13640 bytes
font_00_sfnt_off0000edfc.bin
f40478f36daf8e3c8ff7dda0ed3b16673bb5a005f3a4c7e660dcb30ab016d9b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDFC 44584 bytes
font_01_sfnt_off000174c4.bin
58bada2795043e44f587c41f9a61daabd9613c91ada13a762219bbeff73922f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x174C4 5476 bytes
font_03_sfnt_off0001ad69.bin
0208561c0513cca6e93e4f97bebcf59cac074d25756a31a38b0f8ef8a73ece78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AD69 10776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.