Malicious PDF — malware analysis report

Static analysis result for SHA-256 99b0da1e6162e274…

MALICIOUS

PDF

71.6 KB Created: 2021-04-06 00:50:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 43de58693e72edadc4db59d124f213ad SHA-1: 64c44a4062765794bfc6e549780d2f7ef0dc895f SHA-256: 99b0da1e6162e27429a2a0d858f9badba2f74ccd07938295ef4d9a917be3b1d2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains embedded URLs that likely lead to phishing or malware download sites, disguised with keywords related to popular games. The presence of external URIs suggests an attempt to redirect the user to a malicious domain for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=fireboy+and+watergirl+unblocked+games+forest+temple
    • http://pay-order.info/rozifafexutorawoz4k3do.pdf
    • https://cdn.sqhk.co/tategupet/jahaVje/sonic_adventure_2_knuckles_switch.pdf
    • http://natorg.fun/baxuzatekotelozallnui.pdf
    • https://zeleloda.weebly.com/uploads/1/3/0/7/130776222/5548008.pdf
    • https://cdn.sqhk.co/mudebijutene/bjfx1d4/japebevo.pdf
    • http://sandiego-podcasts.com/51849092259b5kyx.pdf
    • http://gufutaca3.xyz/business_administration_degree_online_south_carolinakxmh1.pdf
    • http://bilabeseximilew.22web.org/41410836328.pdf
    • https://fepexugoroba.weebly.com/uploads/1/3/4/4/134469665/9717341.pdf
    • https://cdn.sqhk.co/xovepejegosi/Rhfjdhc/basketball_league_minimum_salary.pdf
    • http://mattelipsticks.site/wozivagogixanakid8bhl1.pdf
    • http://premial.su/download_ps_vita_emulator_for_pc_windows_7_32_bityto4e.pdf
    • https://cdn.sqhk.co/fuwunikuneg/hehb5ja/49211132369.pdf
    • http://bitcoinchat.fun/the_vampire_diaries_elena_and_damon_dance_feel_so_close_season7juue.pdf
    • http://lnstagramverifiedsbadgesforms.com/tarexivitovawf4kg.pdf
    • http://idealica-uficiale.website/536382288238j5g4.pdf
    • https://nalabusapigo.weebly.com/uploads/1/3/2/7/132740218/gisaxuzonuxofebiwop.pdf
    • https://pixipemojawipe.weebly.com/uploads/1/3/4/4/134459682/5419679.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b4d32581-a45d-474d-a816-aea6f0ac9c0b/mifi_6620l_verizon.pdf
    • https://uploads.strikinglycdn.com/files/a0bfcbde-3821-4d2a-9b54-cc53a0b692ee/domubove.pdf
    • http://livufibutimogil.rf.gd/adobe_reader_free_download_for_windows_10_offline_installer.pdf
    • https://uploads.strikinglycdn.com/files/72c27bf2-6d01-484f-8354-6d8a1de6c33b/zukakixeromugumasuz.pdf
    • https://uploads.strikinglycdn.com/files/31b487e6-a683-4f24-9a75-60df139efbc9/pebukujemotobudakawinumaj.pdf
    • http://zixugudarasol.epizy.com/lagu_orkes_amelia_jepara_terbaru.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d909.bin
441e8eca6e1d633e69d0d23525b00ee2e11f0b2f810dce1a1a3ed6acc9d3352d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD909 5828 bytes
font_01_sfnt_off0000ecec.bin
988d13942e040fb84783e6e8389bea2e5e6a0be0f870c4219569a7aff1dc46fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECEC 10476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.