Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a3b0ef14ef43bf3…

MALICIOUS

PDF

73.4 KB Created: 2021-03-16 21:13:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 875d3dcc8bafb06d160265be4d69e003 SHA-1: 9ba6d5b59bd55d8b818e54d3c053829fd277947d SHA-256: 9a3b0ef14ef43bf3620ba01c23b055a3cddaa56c1958ca655389986896382145
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The presence of an external URI pointing to 'soxebez.ru' suggests a phishing or redirection attempt. Although no scripts were explicitly extracted, the PDF structure and the nature of the URL indicate it's likely designed to trick users into visiting a malicious site, possibly for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=nevada+middle+school+mo
    • https://static.s123-cdn-static.com/uploads/4416659/normal_5fed91452ddb3.pdf
    • https://cdn-cms.f-static.net/uploads/4416132/normal_602f6dc1448d3.pdf
    • https://static.s123-cdn-static.com/uploads/4375896/normal_60075d6732c90.pdf
    • https://cdn-cms.f-static.net/uploads/4386622/normal_602268f17c902.pdf
    • http://tosefabebiribow.scienceontheweb.net/vajeburagadimenu.pdf
    • http://palupalukagu.mygamesonline.org/64783363059.pdf
    • https://cdn-cms.f-static.net/uploads/4376858/normal_5fe97c3312ca1.pdf
    • http://walolexokesufa.sportsontheweb.net/how_do_i_write_a_self_assessment_essay.pdf
    • https://static.s123-cdn-static.com/uploads/4447465/normal_5ff91a1e6780a.pdf
    • http://gudelew.mywebcommunity.org/66478103083.pdf
    • https://static.s123-cdn-static.com/uploads/4409122/normal_5fe136b29b062.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/biwuwukesazef/bring_it_on_ghost_episode_guide.pdf
    • https://s3.amazonaws.com/jarawaxanivu/pusalotewaveluromagov.pdf
    • http://gafodix.myartsonline.com/loxejin.pdf
    • https://s3.amazonaws.com/salosibejodod/6676908827.pdf
    • https://b416d2a3-330e-4518-8f5e-c931256b4cd1.filesusr.com/ugd/5168b2_cc90942e64aa48dba11932d575b96f28.pdf?index=true
    • https://c6f55193-7475-4343-97dd-33cb3b141b6a.filesusr.com/ugd/808d8c_502bb0d180234521a983633f9a2d3125.pdf?index=true
    • http://kavibajegis.onlinewebshop.net/business_opportunities_in_south_africa.pdf
    • http://fufudaloxola.onlinewebshop.net/pdf._js_blob_url.pdf
    • https://67a4337f-2b79-4d04-9c1d-2578c80f4945.filesusr.com/ugd/964009_3acba7b6e838444491a29e8fa8968aea.pdf?index=true
    • https://2c549fd3-bbcc-4e43-aea5-84609313cfd4.filesusr.com/ugd/c162b3_c6bd0394b8c44dc4944fe2d8a29af5d1.pdf?index=true
    • https://e7f45dcf-1957-410e-85b1-216e85a225c4.filesusr.com/ugd/a2c2bc_c8a107115a944abda9df339fd47cafcd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dfa4.bin
bbfb66bab9ccb7a4b42adfb808a62b58f222876b84a9f353e535c7dd27a44913		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFA4 5112 bytes
font_01_sfnt_off0000f0f0.bin
65d9cdb51044e1017ca4d31c2755dcc12a04e49ec86e86e47736b19f214158e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0F0 11144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.