Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad80770abac6a6cd…

MALICIOUS

PDF

224.4 KB Created: 2022-05-29 06:07:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2022-07-15
MD5: 93f5c150d9142921cad06f75a9b86440 SHA-1: e5ee61671f28cf1a4af3c8e51ca3192c1fce3f0d SHA-256: ad80770abac6a6cd98e53995d82eb9a1087a203232fd6fd7f848e8067345d6e5
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Phishing: Spearphishing via Service T1059.001 Command and Scripting Interpreter: PowerShell

The PDF document was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. The heuristic 'SE_MFA_LURE' indicates the document is designed to harvest credentials by tricking users into approving MFA prompts or entering one-time codes. The embedded URL points to a domain commonly associated with malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7668

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tevav.co.za/XSRYdR1H?utm_term=tutorial+carding+android+pdf+free+online+free+full
    • https://lombardpruszkow.pl/local/userfiles/file/gutipukumitepeloveneximut.pdf
    • http://stromzeleny.cz/file/49229190294.pdf
    • https://viwezoluzuwa.weebly.com/uploads/1/3/4/4/134401695/3077077.pdf
    • http://kungfubp.hu/admin/assets/images/files/dofurobirixadaxuv.pdf
    • http://busangh.com/attfile/fckimg/file///20220202224656_339892638.pdf
    • https://www.koreayokogawa.com/ckfinder/userfiles/files/gipisuruxilafu.pdf
    • http://lehoangcctv.com/ckeditor/kcfinder/upload/files/pojoxex.pdf
    • https://km2804.com/ckupload/files/lejowigaro.pdf
    • http://livestocksaltlicks.com/ckeditor/kcfinder/upload/files/52404053484.pdf
    • https://wobapuzufisuro.weebly.com/uploads/1/3/4/0/134042344/bevije.pdf
    • http://biemmecommerciale.eu/userfiles/files/31869025747.pdf
    • https://romasagato.weebly.com/uploads/1/3/4/7/134723475/nizub_mevas_kofifikawikoxo.pdf
    • https://luxm.pl/userfiles/file/pedawu.pdf
    • https://redodire.weebly.com/uploads/1/3/1/4/131408340/sejobamafuv.pdf
    • https://tusilagel.weebly.com/uploads/1/3/0/7/130739454/73a7def71638.pdf
    • http://predit.ru/admin/ckfinder/userfiles/files/6585011757.pdf
    • https://vivuwugo.weebly.com/uploads/1/3/0/9/130968913/remusotigiwubema.pdf
    • http://surestegc.org/documentos/file/26429213200.pdf
    • https://diedacorporation.net/freesiafiles/file/kebinawi.pdf
    • https://funstore.dialog.org/userfiles/file/fabizatelo.pdf
    • http://jaipurfabricator.com/newerac2c/userfiles/file/64066422767.pdf
    • https://www.sinditamaraty.org.br/site/public/ckeditor/kcfinder/upload/files/41291252480.pdf
    • https://nulenedo.weebly.com/uploads/1/3/6/0/136084055/fatalubudebujuxetox.pdf
    • http://chunzucn.yun2u.cn/upload/files/zolixigenifowimi.pdf
    • https://sijetiwiriwex.weebly.com/uploads/1/3/2/6/132683168/d1b4452.pdf
    • https://marketlayer.com/assets/kcfinder/upload/files/satisinajur.pdf
    • https://ihappywash.com/uploads/files/202202141411482367.pdf
    • http://mtjjt.com/2013/upload/article/files/220215074427340797s6xl8.pdf
    • https://fxafidelite.megazone-reims.com/userfiles/file/zewufokisogosite.pdf
    • https://kufaxalerix.weebly.com/uploads/1/3/1/4/131453821/7133749.pdf
    • https://sangogiaphuc.com/admin/webroot/upload/image/files/xesifopaxozinivuge.pdf
    • http://saraco.kz/public/uploads/files/62038986572.pdf
    • https://natesikapepik.weebly.com/uploads/1/3/4/7/134750077/2107186.pdf
    • http://impress-solution.com/file_media/file_image/file/wabirevolomonamo.pdf
    • https://idosekotthonaveresegyhaz.hu/files/files/kuxupaloxekutet.pdf
    • https://dixitelenamipum.weebly.com/uploads/1/3/4/3/134380202/lapuxelumasosamuva.pdf
    • https://lixazasowab.weebly.com/uploads/1/3/4/5/134588429/pewufof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003112f.bin
bf5d02eb090a4ce289d92bd6a7689bfe7f23e96d0bc98afc1a9d24f329e0095b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3112F 10688 bytes
font_01_sfnt_off00032991.bin
2761bcfc790e8ed28be1589aebee2eb79a20486dd86f0611e5469c497195b2f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32991 17764 bytes
font_02_sfnt_off000357ed.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x357ED 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.