Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac0ae111e62955c8…

MALICIOUS

PDF

79.7 KB Created: 2021-03-28 00:10:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4637fff45b0c9bf2e3e5821b18c72060 SHA-1: 2c40c9dcf49a5540c8f809e6ecbc7da27b63f3b0 SHA-256: ac0ae111e62955c813aea7ce32fe9777e7571ce21a2a09c2f3e86b4876a685f3
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains high-risk heuristics indicating suspicious links and ML classification flagging it as malicious. Notably, it includes an invisible link pointing to 'http://loginwithfb.site/maputilaggq4xy.pdf', a common lure technique. Another external URI, 'https://seumenha.ru/wix?keyword=i+am+afraid+of+me+culture+club', is also present. The document body is heavily obfuscated, preventing a clear understanding of its content, but the presence of these links strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=i+am+afraid+of+me+culture+club
    • http://loginwithfb.site/maputilaggq4xy.pdf
    • https://cdn-cms.f-static.net/uploads/4445864/normal_6035c62cddcbf.pdf
    • https://cdn-cms.f-static.net/uploads/4489981/normal_605fabe2067f0.pdf
    • http://honey-love.ru/business_model_strategic_thinkinguwbum.pdf
    • http://bekowakiged.iblogger.org/how_to_become_an_er_np.pdf
    • http://pearhaidhr.fun/technivorm_moccamaster_kbg_selectxt1pv.pdf
    • http://meetdouche.xyz/international_commercial_agency_agreement_templatelvpcr.pdf
    • https://cdn-cms.f-static.net/uploads/4498404/normal_6018461cab22d.pdf
    • https://cdn-cms.f-static.net/uploads/4369322/normal_6013322e145d9.pdf
    • http://freshka.fun/how_to_install_evenflo_tribute_car_seatbuv0d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://guvonudigadosa.epizy.com/itbp_calendar_2020_download.pdf
    • http://xaxidos.epizy.com/apa_in_text_citation_worksheet.pdf
    • http://zinagurimobep.rf.gd/57469669332.pdf
    • https://uploads.strikinglycdn.com/files/9938bc01-30e5-46bc-849d-cd8f33688349/53822298688.pdf
    • https://s3.amazonaws.com/wupixufekijax/66484831675.pdf
    • https://s3.amazonaws.com/vitelitubovuluj/what_is_the_structure_of_interrogative_sentence.pdf
    • https://uploads.strikinglycdn.com/files/0f4a6604-b227-4ba3-a54c-36c09968d77e/tapuraja.pdf
    • https://uploads.strikinglycdn.com/files/2ebc0cfa-1fec-4f74-817f-0a9b8508dbaa/playstation_gold_headset_charging_cable.pdf
    • https://uploads.strikinglycdn.com/files/13f00bf3-c4cf-42e6-bb48-7465655d42dd/casio_5269_sgw-500h_battery.pdf
    • https://s3.amazonaws.com/dumupa/9850792036.pdf
    • https://uploads.strikinglycdn.com/files/de5b0869-0d53-4e71-8301-35cf0889f203/nefajofirotesi.pdf
    • https://uploads.strikinglycdn.com/files/ccd2f5ca-61aa-4d52-ac90-9bc4a159d786/how_to_change_time_on_radio_controlled_clock.pdf
    • https://uploads.strikinglycdn.com/files/c7a896cf-12a9-4ac4-a56e-76e1790a3107/timex_ironman_r300_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee2f.bin
9dfde741d0fd4256e4116f03aebb268e713c45bc5195fb2ec50eda79ee2329c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE2F 4844 bytes
font_01_sfnt_off0000fea0.bin
3de42a4be8f2539f7db0f8674ae60618b26a4c7c398160a6faef5468613f08c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEA0 11028 bytes
font_02_sfnt_off00012430.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12430 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.