Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0f31c2ad22e9378…

MALICIOUS

PDF

220.8 KB Created: 2021-03-19 07:31:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8fec5564a4bfb74e2176dc7242a489ba SHA-1: 3dd977c406e0f6e17c49c0fad25413ae725a8ef8 SHA-256: a0f31c2ad22e9378be357f07d29c11b4e94d0a524b4c497902dcc9132fc6b78f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that points to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF as malicious. The document body, though heavily obfuscated, suggests a lure related to 'word with d and q', likely intended to trick users into clicking the malicious link for a phishing or malware download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8686

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=word+with+d+and+q
    • https://static.s123-cdn-static.com/uploads/4452609/normal_5fed33de61379.pdf
    • https://talipugetajizan.weebly.com/uploads/1/3/4/8/134862074/5f91dd84f22.pdf
    • http://dusipoweg.mywebcommunity.org/34278545321.pdf
    • https://static.s123-cdn-static.com/uploads/4365549/normal_6003ea15d0216.pdf
    • http://zipubezexupoka.mywebcommunity.org/why_wont_my_lg_microwave_turn_on.pdf
    • https://cdn-cms.f-static.net/uploads/4484834/normal_5fd14900310a3.pdf
    • https://gumosoxegobekij.weebly.com/uploads/1/3/3/9/133999275/poxorumolo-fixabebil-natamevamub-wipakezudowoxij.pdf
    • https://static.s123-cdn-static.com/uploads/4491410/normal_5fe548a43e6bb.pdf
    • https://static.s123-cdn-static.com/uploads/4489241/normal_5ffa1a9dece61.pdf
    • http://jipetabonitu.mywebcommunity.org/tovenametowozok.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/fcee90cb-b015-4012-8328-3abb9f97c28d/how_to_make_caricature_from_a_photo_in_photoshop_cs6.pdf
    • https://8772a198-af03-49ef-8724-5feb7546cb8a.filesusr.com/ugd/436f04_d38b4ae08f784427997dcf1a5ea37c4e.pdf?index=true
    • https://d52369c8-37f2-40d9-9d5f-d682b3b4a2e4.filesusr.com/ugd/6d5a7b_8ef3de5742474cc79cd5f6cde37fd72a.pdf?index=true
    • https://s3.amazonaws.com/tobobowu/informant_series_episodes.pdf
    • https://uploads.strikinglycdn.com/files/c14ccd49-21b5-451c-854b-e936171cc7c1/words_their_way_online_resources.pdf
    • https://uploads.strikinglycdn.com/files/492d6a28-6472-4202-967a-6720bcb7dcf6/41755188000.pdf
    • https://73e25548-3913-4bbb-aa69-a1b25f69568d.filesusr.com/ugd/cece23_053b1bcab85c45e78c8dfef49bee4c22.pdf?index=true
    • https://s3.amazonaws.com/fosagoba/bloqueo_av_completo_causas.pdf
    • https://s3.amazonaws.com/nemafu/59604843407.pdf
    • http://telifujovemevo.atwebpages.com/97677248293.pdf
    • https://02796127-04ec-4c85-b270-c6f7310ebb18.filesusr.com/ugd/ce0e6d_cb337de9f0be4e6c99e207f998d77233.pdf?index=true
    • https://s3.amazonaws.com/pegozegi/image_collage_maker_apk.pdf
    • https://uploads.strikinglycdn.com/files/cab01e65-858e-4fa9-af86-633e65cd7281/kimabefawosuxub.pdf
    • https://s3.amazonaws.com/teximikamukubo/chaplin_movie_1992.pdf
    • https://uploads.strikinglycdn.com/files/b29dd58f-cdda-4084-880c-3f967d0ee1b9/which_university_is_best_for_electrical_engineering_in_nigeria.pdf
    • https://d52aed46-be45-4f9b-8106-cf6fc7ee66c0.filesusr.com/ugd/b148e5_fbb359341b354cf1988ea73fb870150a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00030c1f.bin
4a69f08bb0605c053e0abc7a34507ed8a62505d38b547e10b51e558d61ebc2ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30C1F 3952 bytes
font_01_sfnt_off00031a2b.bin
56a10f1bad25fddeff050034cdc39322632e8088920d8640aa9a64f75ed44182		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31A2B 4604 bytes
font_02_sfnt_off000329cc.bin
6c5f0313ff407186ecccf3d01bef7e8340c28a3f52cb54a9fa593b1a9950f62c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x329CC 13808 bytes
font_03_sfnt_off000355a6.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x355A6 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.