Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5d8bd9de1727dd4…

MALICIOUS

PDF

89.6 KB Created: 2021-03-13 20:12:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96d22e000a663508dfb2aaf455569ab8 SHA-1: e0a3466681fd194e6ee2410670e2ead8c6e8a96f SHA-256: a5d8bd9de1727dd4c4afced7eae68973cb5b274dbde0123fbb448d3fb3c6b807
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL designed to trick the user into clicking it. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or trojan PDF. The embedded URL is the primary indicator of compromise, likely leading to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=bryant+university+campus+map+pdf
    • https://cdn-cms.f-static.net/uploads/4383568/normal_60394845e74f5.pdf
    • https://cdn-cms.f-static.net/uploads/4471083/normal_60187275d5ee6.pdf
    • http://laxeded.iblogger.org/87453792416.pdf
    • https://zavurebugefogoj.weebly.com/uploads/1/3/4/3/134397626/e085569c21a.pdf
    • https://cdn-cms.f-static.net/uploads/4469128/normal_5fda986876e67.pdf
    • https://bilugejedegigel.weebly.com/uploads/1/3/4/0/134017605/vugunemowiredan.pdf
    • https://cdn-cms.f-static.net/uploads/4420905/normal_604508396cdbe.pdf
    • https://zoxalutaj.weebly.com/uploads/1/3/1/4/131407742/9676584.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/temujonuwu/what_are_mind_body_techniques.pdf
    • https://uploads.strikinglycdn.com/files/7501e909-e804-4ce1-bffb-29654f3cc321/roland_v-4ex_price.pdf
    • https://uploads.strikinglycdn.com/files/0647cf04-f7e4-4861-877a-5f1e1c965be2/36234707551.pdf
    • https://uploads.strikinglycdn.com/files/9e28fe0c-05b5-4286-aa70-1fb06f1bf833/feributowosuje.pdf
    • https://s3.amazonaws.com/jivuxo/hp_officejet_7110_does_not_print.pdf
    • https://s3.amazonaws.com/lekelepowo/cours_sur_les_coordonnes_polaires.pdf
    • http://dadodoserosif.epizy.com/wizemekeruvu.pdf
    • http://kolitaguligod.epizy.com/directv_rc66_remote.pdf
    • http://dolifusekaxug.epizy.com/math_games_to_play_on_zoom.pdf
    • https://s3.amazonaws.com/fejakixoweka/elefantul_cici_gratis.pdf
    • https://891dfe3a-8969-4df2-b253-5ccc4ebbb7a0.filesusr.com/ugd/e66789_015ec75bfae04144a5ecb15d9d7a3d97.pdf?index=true
    • https://s3.amazonaws.com/dubiditiginowo/chinese_remix_tamil_song.pdf
    • https://uploads.strikinglycdn.com/files/cabfc9d8-3233-47d0-8e8d-f25404712b42/lajuvosolatagar.pdf
    • https://b56e6f12-3f4b-4b75-bc29-9585eb3fba71.filesusr.com/ugd/73f0dd_559fa48621454daca4cfd01d5294799b.pdf?index=true
    • https://21e323bd-7fdd-46e9-a6c7-4880e76d7610.filesusr.com/ugd/0a51c1_ace482d7e24349938d82f8c72fa76f7b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012080.bin
8a5d00e427c36c8851a9e3d4a5602fe241d9cf94b4a716463b40d9de35d03a5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12080 5480 bytes
font_01_sfnt_off00013322.bin
214a8f05fb7a2ba1d7aa72ec72c64131c31b2fc0fe2e3ca9461321d7848419b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13322 10912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.