Malicious PDF — malware analysis report

Static analysis result for SHA-256 acdbc08f3cb4bb45…

MALICIOUS

PDF

98.3 KB Created: 2021-03-19 09:01:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e13bc222f69ce6b95c0ae75bfcf08134 SHA-1: 28f8876fac5af641ac6c578f32efa061f6b5ebfc SHA-256: acdbc08f3cb4bb45519a0cdc220df78e40005c5edb42bcfdc5c8850005fa2eb7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating an external URI and is flagged by ML classifiers and ClamAV as malicious, specifically a phishing trojan. The embedded URL points to a domain designed to impersonate Huntington Bank for online payments, suggesting a phishing attack. No scripts were extracted, but the presence of an external URI and the nature of the ClamAV detection strongly indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9945

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=huntington+bank+online+payment
    • https://cdn-cms.f-static.net/uploads/4412161/normal_60344f3530586.pdf
    • https://cdn-cms.f-static.net/uploads/4425514/normal_5fe8b2b736bcc.pdf
    • http://kufemotobenin.66ghz.com/lifebupurukabubamo.pdf
    • http://sobanurosu.22web.org/national_geographic_magazine_index.pdf
    • http://mimedilubaj.22web.org/shadow_and_bone_characters_in_six_of_crows.pdf
    • https://cdn-cms.f-static.net/uploads/4388181/normal_600d4e8178225.pdf
    • http://tesepaxe.iblogger.org/23327233694.pdf
    • https://cdn-cms.f-static.net/uploads/4446762/normal_60159b47e8cdb.pdf
    • https://static.s123-cdn-static.com/uploads/4467573/normal_5ff801430e9f8.pdf
    • https://cdn-cms.f-static.net/uploads/4413005/normal_5fd82ed08ba7f.pdf
    • https://static.s123-cdn-static.com/uploads/4489713/normal_5fefbea3033da.pdf
    • https://cdn-cms.f-static.net/uploads/4470409/normal_604d08184a9c8.pdf
    • https://static.s123-cdn-static.com/uploads/4489032/normal_5ff5cd1365b1c.pdf
    • https://cdn-cms.f-static.net/uploads/4479710/normal_5fd8f58393658.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vufupu/tangled_before_ever_after_soundtrack.pdf
    • https://s3.amazonaws.com/xijalovelokolep/maus_part_2_chapter_1_summary.pdf
    • http://zajimalivi.rf.gd/water_pollution_in_english.pdf
    • http://mutizurik.rf.gd/siwurotevegufidowata.pdf
    • https://s3.amazonaws.com/fuwuzerijofa/tcs_aptitude_test_papers.pdf
    • https://uploads.strikinglycdn.com/files/4f5a20f5-9c73-41c4-acec-8f77cf3d0067/gafexumesodi.pdf
    • https://s3.amazonaws.com/muvarelo/blankety_blank_questions_guide.pdf
    • https://uploads.strikinglycdn.com/files/e043e8bd-b20a-4a47-a0af-88ae9263b0af/how_to_setup_toshiba_dvd_vcr_combo.pdf
    • https://uploads.strikinglycdn.com/files/3c49c39f-52b5-4b5a-9c59-9bc692c04154/mudawawapate.pdf
    • http://wupenokisu.epizy.com/66508249140.pdf
    • http://besevinoferoza.epizy.com/32201879558.pdf
    • https://uploads.strikinglycdn.com/files/1ccc7663-b458-4d4e-977b-37ca6cd85716/20232766043.pdf
    • https://s3.amazonaws.com/zukogi/55005399798.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000127ec.bin
62be090025e8cff0922ac18311cb77e23449bfd6ee0bdd3970371c03581d23fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127EC 5132 bytes
font_01_sfnt_off00013967.bin
cb6bed0ca359b6c27b5284f581ce06eb68056cbd9d0f53f84841a19e6a981d3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13967 13008 bytes
font_02_sfnt_off000165d0.bin
c2f1b8e27e4c5d1eb6694bcf999bed56489d599ed66a9b176e3ad865fa2ee921		 pdf-font-stream PDF embedded font (sfnt) at offset 0x165D0 16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.