Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac0acf13768f96b1…

MALICIOUS

PDF

79.6 KB Created: 2021-03-20 12:35:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1254fdf4669fa595586e8b389dfce291 SHA-1: d886a6caee5036d2e845f69ec27066acd22e19af SHA-256: ac0acf13768f96b121c64348abf6e95abd0907a4e0faa2cb3f32ec02f8ba644e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating external URI usage and is flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to a 'mechanical assessment test'. The presence of embedded URLs points towards an attempt to redirect the user to a malicious site for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=mechanical+assessment+test+pdf
    • https://teraxumafelenug.weebly.com/uploads/1/3/4/7/134747654/mebezumuzusilokibifo.pdf
    • https://cdn.sqhk.co/ponesigis/jbjhhjh/fetesi.pdf
    • https://fotewusobowo.weebly.com/uploads/1/3/5/3/135339642/c3c3af35d6baa.pdf
    • https://cdn.sqhk.co/gabebutiz/iagdjdl/marble_classic_exclusive_warehouse.pdf
    • http://dmdmassage.com/why_java_is_known_as_platform_independent_language_explain_some_feature_of_javakg3y4.pdf
    • http://bestunew.xyz/petadoraxirixozikumegjgt4a.pdf
    • http://dayzcommunity.info/wexefadirodupufawulido02xf7.pdf
    • https://cdn.sqhk.co/botonerepap/guiiFjc/my_airtel_app_nigeria_apk_download_apkpure.pdf
    • https://wejakoguxi.weebly.com/uploads/1/3/4/3/134324676/kifudomun.pdf
    • https://cdn.sqhk.co/difanemifal/kgc4ig6/velodyne_subwoofer_manual.pdf
    • https://dolilufaxeni.weebly.com/uploads/1/3/2/6/132683246/500d755b141.pdf
    • https://runewabelew.weebly.com/uploads/1/3/0/8/130813516/1715067.pdf
    • https://cdn.sqhk.co/pekobenew/gihaFic/gilesamabipanemovupojopox.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lebevinawefebo.rf.gd/playground_sessions_android_app.pdf
    • https://uploads.strikinglycdn.com/files/68524a51-4a64-4761-b429-83247446e49e/tuxojezigole.pdf
    • http://fesejawezu.rf.gd/rewezerulozog.pdf
    • https://s3.amazonaws.com/xefejevife/28205328525.pdf
    • https://uploads.strikinglycdn.com/files/5428da21-a885-42dc-9da6-7687ca444f0a/sinoraxisefimuvakenowa.pdf
    • http://peferoxa.epizy.com/advantages_and_disadvantages_of_social_media_for_students.pdf
    • https://s3.amazonaws.com/defipedibe/3274062690.pdf
    • https://uploads.strikinglycdn.com/files/ef59d3cc-2f57-4813-a8e5-d9e8d7082132/murachs_c_2015_ebook.pdf
    • https://uploads.strikinglycdn.com/files/070a0538-9117-4d3e-a4f1-7b35350ed330/radizupizototule.pdf
    • https://s3.amazonaws.com/fujadabez/12310492448.pdf
    • https://uploads.strikinglycdn.com/files/4349c9e6-edab-47d6-ac1d-749fcede59f7/38500376285.pdf
    • http://kosejoviwo.epizy.com/classroom_implications_of_educational_psychology_in_telugu.pdf
    • http://pazatirademe.rf.gd/the_righteous_brothers_greatest_hits.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f84f.bin
2db630ad94b83c6e04a1f0a1473914015117bbffe5e37f2244872bbfc381363c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF84F 5304 bytes
font_01_sfnt_off00010a46.bin
91f60ad9363d59822e301264d78a906495a56082e633520106eb8b4a91750a08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A46 11460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.