Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9c9e8c8a22ad96f…

MALICIOUS

PDF

165.1 KB Created: 2021-03-24 01:36:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 2e04c122ba511053a0604b988b0ba8a7 SHA-1: 9a2fe23356c8902af4a9ecaecc5cf915698d00a1 SHA-256: a9c9e8c8a22ad96fd674c85c07aa7feb82857573667d581b3e8b94b8fed2b106
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, suggests a lure related to 'The Count of Monte Cristo' novel summary, aiming to trick the user into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/strik?utm_term=the+count+of+monte+cristo+novel+summary PDF link annotation
    • http://tepugorotewole.medianewsonline.com/vodiwuf.pdfIn PDF document text
    • https://cdn.sqhk.co/nugilatunu/bjfkAjb/lord_of_heroes_game_wiki.pdfIn PDF document text
    • http://nitesufi.sportsontheweb.net/pdf_file_converter_to_word.pdfIn PDF document text
    • http://roduvogixaxo.66ghz.com/22319582038.pdfIn PDF document text
    • https://cdn.sqhk.co/zoribakim/hbPijRI/10209750129.pdfIn PDF document text
    • https://cdn.sqhk.co/wotirixa/jeFdMhg/onedrive_for_business_download_32-_bit.pdfIn PDF document text
    • http://loxokunetuladi.66ghz.com/cerner_millennium_pathnet_user_guide.pdfIn PDF document text
    • http://bupatinewesep.66ghz.com/jedak.pdfIn PDF document text
    • https://cdn.sqhk.co/vixemujomu/hdjdige/wechat_download_for_mac_computer.pdfIn PDF document text
    • https://cdn.sqhk.co/forexidof/gdvcwJo/voice_activated_jumping_game.pdfIn PDF document text
    • https://cdn.sqhk.co/lazemowul/jbig7hj/ruzanixanemivolokimezis.pdfIn PDF document text
    • https://cdn.sqhk.co/supesuvepo/jffjfjc/raxetap.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://s3.amazonaws.com/desenaz/dufetazusaguv.pdfIn PDF document text
    • http://fupisetugib.rf.gd/fevoram.pdfIn PDF document text
    • https://s3.amazonaws.com/resabomibogodaw/60825146572.pdfIn PDF document text
    • https://s3.amazonaws.com/jubiferekaka/losamuzafamurasaxawuwuli.pdfIn PDF document text
    • http://mezoninol.epizy.com/fagitol.pdfIn PDF document text
    • https://s3.amazonaws.com/wibedubosateg/39212821079.pdfIn PDF document text
    • https://s3.amazonaws.com/piradi/pedeje.pdfIn PDF document text
    • https://s3.amazonaws.com/zufojadibi/kinipadidogobi.pdfIn PDF document text
    • https://s3.amazonaws.com/mamibis/what_does_chloroform_in_water_mean.pdfIn PDF document text
    • https://s3.amazonaws.com/numegubowalonan/64083598637.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001bb7b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1BB7B 29716 bytes
SHA-256: c321b573a78fdb93180b6faed5bfaa5abdb73173dfc87b9193e897fa93138dc9
font_01_sfnt_off00021733.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21733 5232 bytes
SHA-256: fa30f35c0822cfcbf9aa9e83da5d83bb8c618635295f06a305f5ac27273c708b
font_02_sfnt_off000228e1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x228E1 4692 bytes
SHA-256: f2d817c5f3df753f56916a81bf2ae536253c527470e91272faea7b79f7dd787b
font_03_sfnt_off000238fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x238FD 17172 bytes
SHA-256: 16fb74ccf424fbacbc0942b77197986cefe412569412a178055f89c15c3fc954
font_04_sfnt_off0002695c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2695C 17968 bytes
SHA-256: daa6bbc1245495237634d54a62ff2c0b4eca9045f6cd9b51fbe0e72fde1bb9d9

Open this report in the interactive analyzer, or submit your own file for analysis.