Malicious PDF — malware analysis report

Static analysis result for SHA-256 aeb60dceeaed5579…

MALICIOUS

PDF

119.4 KB Created: 2021-04-03 11:08:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cf8358969bfe88938a4fe30e29ca7d22 SHA-1: 2dcd6ab70659ad877a212953ac65408d6cd29d50 SHA-256: aeb60dceeaed5579f398c265873eaa27f1e5917f839b58f9e6214476bbd9be7a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded URLs that lead to potentially malicious content, as indicated by the ML classifier and ClamAV detection. The document body, though partially corrupted, suggests a lure related to business plans, likely to trick users into downloading a further payload. The presence of external URIs points towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=business+plan+exemple+en+francais+pdf
    • http://kprovk.xyz/gapuxupewuzcammb.pdf
    • http://aires.fun/jaxisopupulofidexejivazuzvaqq0.pdf
    • https://cdn.sqhk.co/zivuputid/clAhfja/zesokisuwuk.pdf
    • https://cdn-cms.f-static.net/uploads/4387939/normal_60385d9b48b41.pdf
    • https://cdn.sqhk.co/sojetaji/ejbggig/english_reading_comprehension_for_class_12.pdf
    • https://cdn-cms.f-static.net/uploads/4417818/normal_604988e813446.pdf
    • https://static.s123-cdn-static.com/uploads/4450340/normal_5ff53a1cdcb74.pdf
    • https://static.s123-cdn-static.com/uploads/4447646/normal_5ff3826d49721.pdf
    • http://naturaitalia.space/8k00b.pdf
    • http://cleaner-inn.club/acha_chalta_hu_song_videous26c.pdf
    • https://static.s123-cdn-static.com/uploads/4369165/normal_5ff0be65697f9.pdf
    • https://cdn-cms.f-static.net/uploads/4447079/normal_604b4bed1c7dd.pdf
    • http://mexawolin.medianewsonline.com/abbyy_editor_portable.pdf
    • https://cdn.sqhk.co/vizebika/psghrij/89483315393.pdf
    • https://static.s123-cdn-static.com/uploads/4473938/normal_5fde75a36afc4.pdf
    • http://trend-sales.fun/what_exercise_with_high_blood_pressureo4j6t.pdf
    • http://pogawubujogeje.mypressonline.com/77054211368.pdf
    • https://cdn-cms.f-static.net/uploads/4498997/normal_6032b7ee29741.pdf
    • https://static.s123-cdn-static.com/uploads/4464052/normal_5ff5f4ae91c0b.pdf
    • http://carinsusa.info/spectrum_math_workbook_grade_8_free92cvz.pdf
    • https://cdn.sqhk.co/libuzewis/d3ljagd/zozide.pdf
    • https://cdn.sqhk.co/numisezopo/sHDhjig/nakamefifopenogomage.pdf
    • https://static.s123-cdn-static.com/uploads/4405208/normal_5fc6683fc9274.pdf
    • http://tokio-2020.fun/wosomop93f81.pdf
    • http://suzamakulamuj.mypressonline.com/asme_pressure_vessel_code_section_viii.pdf
    • http://torixobo.mypressonline.com/marathi_kadambari_file.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wewamamewiler.atwebpages.com/fanemok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018fa8.bin
e9babe0b6b390966a9a3bc2433221c5ab56c0833045103fd4ad7480098f54189		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18FA8 5420 bytes
font_01_sfnt_off0001a206.bin
16d078305e3606d95ba440bc268375c5bc928a5666a90fe47154b1ab916e35f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A206 14268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.