Malicious PDF — malware analysis report

Static analysis result for SHA-256 964a03448dbbd9e7…

MALICIOUS

PDF

438.4 KB Created: 2022-05-23 11:09:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2022-07-15
MD5: a990dd22f9f245d655bcdf50fd97d840 SHA-1: 9cf80b199a19eccb6dac10acced6d35c56985606 SHA-256: 964a03448dbbd9e7175021d0f1f4ba127faaf6a2b7a28ca66dc055197716791c
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is identified as a malicious PDF by ClamAV. It contains an embedded URI pointing to 'https://norin.co.za/XSRYdR1H?utm_term=cardiovascular+physiology+pappano+pdf++full+length', which is a strong indicator of a phishing or malware distribution attempt. The PDF structure and the presence of this external link suggest a social engineering tactic to redirect the user to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4362

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://norin.co.za/XSRYdR1H?utm_term=cardiovascular+physiology+pappano+pdf++full+length
    • https://torofijode.weebly.com/uploads/1/3/5/9/135978969/ruxer-sizetoraf-pafupukovofef-kafepazape.pdf
    • https://kenkochaya.com/user_data/ckfinder/files/87944441198.pdf
    • https://xefiviwalu.weebly.com/uploads/1/4/1/8/141815090/xulorurosibop-botazaj-tekepejinijira-juvufa.pdf
    • https://nelodukes.weebly.com/uploads/1/3/6/0/136085721/xigemu.pdf
    • http://heathrowairporttaxi.website/userfiles/file/wodeluparedojotuvusovi.pdf
    • https://jodeliloku.weebly.com/uploads/1/3/5/9/135975589/6697568.pdf
    • https://nuzaxegef.weebly.com/uploads/1/3/4/8/134857273/5811229.pdf
    • https://befufagu.weebly.com/uploads/1/3/1/3/131384284/vumomabo-lesonoximasofor.pdf
    • https://zamelati.weebly.com/uploads/1/3/4/6/134652334/wejazetu.pdf
    • https://xipurewaxo.weebly.com/uploads/1/3/4/7/134759043/666f30c897.pdf
    • https://banatili.weebly.com/uploads/1/3/5/3/135314160/64ccb34a0.pdf
    • https://zatitolapokogev.weebly.com/uploads/1/4/1/4/141493006/652a81cbd.pdf
    • https://zoparidozuxeb.weebly.com/uploads/1/3/5/3/135390671/ed710ced760491b.pdf
    • https://videjowogifasol.weebly.com/uploads/1/4/1/2/141218140/felosaxu.pdf
    • https://regujovirex.weebly.com/uploads/1/3/7/5/137508242/sefuxur_govosud_zukixovanapob_bugejoke.pdf
    • https://gesajapuso.weebly.com/uploads/1/3/4/8/134873290/724aead.pdf
    • https://wetagazikizofab.weebly.com/uploads/1/3/4/5/134590768/lezuxitilisop_mojug_binovo.pdf
    • https://jofevuwob.weebly.com/uploads/1/3/4/2/134235005/fusotilajir-tobotek.pdf
    • https://buwofapakudo.weebly.com/uploads/1/3/5/3/135316190/velovakurilegosi.pdf
    • https://siragakepog.weebly.com/uploads/1/3/4/8/134890789/c59f00418ed9e7.pdf
    • https://goguribepolim.weebly.com/uploads/1/3/0/7/130739596/2361447.pdf
    • https://vizokajobekaxa.weebly.com/uploads/1/3/0/9/130969885/numilalore.pdf
    • https://nefavegipu.weebly.com/uploads/1/3/4/3/134365482/mufinawatowefu.pdf
    • https://lemisisax.weebly.com/uploads/1/3/4/4/134494561/778552.pdf
    • https://mibokedizigabu.weebly.com/uploads/1/3/1/4/131437832/wumozanokuxadew.pdf
    • https://mejexagisogikez.weebly.com/uploads/1/3/4/4/134468566/c3d62553f4c.pdf
    • https://vurebupimemite.weebly.com/uploads/1/4/1/3/141373083/f4f7673489.pdf
    • http://kptar.com.br/kcfinder/upload/files/wikevufu.pdf
    • https://fugazopemuseb.weebly.com/uploads/1/4/1/2/141258880/636a552a1b.pdf
    • https://kiwogoro.weebly.com/uploads/1/3/4/6/134635848/2c7e80.pdf
    • https://lowarimubabop.weebly.com/uploads/1/3/4/7/134712264/ropit_virupobanitawa.pdf
    • https://xuxidasos.weebly.com/uploads/1/4/1/4/141494405/zudasunuz.pdf
    • https://wexejejide.weebly.com/uploads/1/3/3/9/133986252/sijalepumep.pdf
    • https://sosepokapebovi.weebly.com/uploads/1/3/0/8/130814645/lamenipuga.pdf
    • https://funesovikigaje.weebly.com/uploads/1/3/0/7/130740183/vebolamufakef.pdf
    • https://guvixagudakila.weebly.com/uploads/1/4/1/2/141259151/xewuvepenaxemuvip.pdf
    • http://komornikstargard.com/userfiles/file/24664014454.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00066887.bin
42036774828e3b0114df8bd15012a83e9ebd3bff8c8abf2c782f6f1d4d241446		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66887 17648 bytes
font_01_sfnt_off0006971f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6971F 16792 bytes
font_02_sfnt_off0006af36.bin
a1c7bfcf25b56e6d7f6f5740dad1a270a14f6c33672c2c6fb8638cdfaa9fc87e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AF36 11208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.