Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0289b6ff5f32580…

MALICIOUS

PDF

106.5 KB Created: 2021-03-15 06:29:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59601302f54ae7add5b33e61da686ca6 SHA-1: bfdab6c064ffc8dfe6d62161591729f2e4a42bee SHA-256: a0289b6ff5f325801518fbf47c26cd0d0d6a7647666148685ff44e9e4916fc0c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document contains an embedded URL pointing to 'mezovuduw.ru', which is likely used to deliver a phishing or malware payload. The presence of PDF-specific heuristics and the overall detection score strongly suggest a malicious intent, likely related to phishing or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=simply+clear+cbd+stock
    • http://ketosimple.online/diary_of_a_wimpy_kid_13d36qz.pdf
    • http://pusaburuku.22web.org/constitution_facts_crossword_puzzle_basic_2_answers.pdf
    • http://rejuxipo.iblogger.org/read_application_x-_www-_form-_urlencoded_c.pdf
    • http://igafnd.org/daddy_dom_baby_girl_storiesp5iye.pdf
    • http://faxizila.iblogger.org/65785390297.pdf
    • http://weinmvc.net/is_sora_from_no_game_no_life_a_gary_stuvkbg9.pdf
    • https://bikewodeganesu.weebly.com/uploads/1/3/4/5/134596115/5c8e68732a1.pdf
    • https://wavopotajulaja.weebly.com/uploads/1/3/4/6/134631105/2456287.pdf
    • https://cdn.sqhk.co/loxusovi/ideYnig/ballroom_dance_classes_for_adults_beginners_near_me.pdf
    • http://strita.space/kafisebilemifiserovarly6gz.pdf
    • https://cdn.sqhk.co/venifirub/zjd8jhT/89623658195.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c1f973cf-d719-4acb-8f9e-cd83ae4fb94d.filesusr.com/ugd/057766_d1a7e5273f9e4dddb08de2cb060fbb45.pdf?index=true
    • http://tatasuvuputo.epizy.com/69913247365.pdf
    • https://72b50e20-f79f-40ca-96b4-24bef83e308f.filesusr.com/ugd/1a1092_9c4935bf416f47b598af9d88784893e3.pdf?index=true
    • https://8f1c0ae7-1ba6-4c51-a623-4d29f5e3aebb.filesusr.com/ugd/c1615c_68d546fd7c7543a2b13e247b74f22a80.pdf?index=true
    • http://godutiliwaganos.rf.gd/42058673085.pdf
    • http://sagavaxedowuviv.epizy.com/fundamentals_of_3d_food_printing_and_applications_download.pdf
    • http://numapev.rf.gd/sas_9.4_ods_graphics_options.pdf
    • http://bajobakokela.epizy.com/26503212875.pdf
    • https://cf336f9a-6a79-4542-9269-5b62d6eb69dd.filesusr.com/ugd/1daf83_c5b66ead5713414b94f6b955d1937c50.pdf?index=true
    • http://wevabaxajube.rf.gd/chair_png_background.pdf
    • http://pirajog.epizy.com/c_interview_questions_for_10_years_experience.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016214.bin
4c334d85fb5a9b147864a2f0d68e4c20403d6f0e3178b02bd5cf3aca20fd348a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16214 5628 bytes
font_01_sfnt_off00017520.bin
c9a4b2367003c00881d751dfee3f2f3ec8be83e99efd792a9be5fd860dcc5184		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17520 11788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.