Malicious PDF — malware analysis report

Static analysis result for SHA-256 b00298a076efb1b4…

MALICIOUS

PDF

87.8 KB Created: 2021-03-14 04:24:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bb9c98258002a4c7c53282d90c2d8d60 SHA-1: 7969ee265f3bc4b02076c978d02696b4279dd503 SHA-256: b00298a076efb1b496fab3b9af50a6999226acb793104c419e58e38851162e54
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URL that is likely used for distributing malware or phishing content, disguised as a free physics textbook download. The PDF structure and embedded URI heuristic indicate an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=high+school+physics+textbook+pdf+free+download
    • http://disozire.mygamesonline.org/fabodova.pdf
    • http://nusezuretoti.scienceontheweb.net/noteg.pdf
    • http://zefunafujazi.22web.org/flint_mi_water_crisis_fact_sheet.pdf
    • http://kofojoxake.mygamesonline.org/taxobaxonazopanoliwejekes.pdf
    • http://bekowakiged.iblogger.org/mozozotutikomorozibiz.pdf
    • http://ninuxalezopo.getenjoyment.net/website_design_process_steps.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/ac2645f4-1e9f-4652-9a63-bf693ccdcda5/66356742156.pdf
    • http://toxiwudogosos.epizy.com/caves_of_chaos_dd.pdf
    • https://30383b9b-b26a-44f4-9a26-03873af8f03c.filesusr.com/ugd/fdee49_d799d72eb92f4b0f85b2048bd8a3ef94.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1d294281-c32f-42e7-bbf9-0e2fd1c3d9d3/how_to_stop_a_sloan_flushmate_from_running.pdf
    • http://nogomazarem.epizy.com/biochemistry_questions_and_answers_on_enzymes.pdf
    • http://nifusotajezunur.atwebpages.com/que_es_el_manifiesto_comunista_resumen.pdf
    • https://1ce8651a-bfbb-4b9a-b1bf-24b3b574775a.filesusr.com/ugd/ac72e0_e590c2ecc02745bd850e32ae7ffc8150.pdf?index=true
    • https://uploads.strikinglycdn.com/files/95f50284-d0cf-46da-88f2-d392bea5bd7b/wanoxunezasesoniditi.pdf
    • https://7aff118d-26f6-4d76-9bc9-1838009e7274.filesusr.com/ugd/f80014_7c7aeae3308342848bcda64a183cfc51.pdf?index=true
    • http://vabizofolimise.epizy.com/certificate_design_templates_hd.pdf
    • http://gerufufa.epizy.com/6549276390.pdf
    • https://uploads.strikinglycdn.com/files/5f827b36-fb9e-426f-a6ed-f550d8a92e85/el_plato_picante_in_english.pdf
    • http://bimimikojawador.rf.gd/pemasigajuwiraxaguzijes.pdf
    • https://fecd0c08-032d-4b8b-b26c-6108aca7a00f.filesusr.com/ugd/a87c8b_fc0b2221c744448d952c6bc35465828b.pdf?index=true
    • http://jawimazo.epizy.com/89673916180.pdf
    • http://rupawozafope.epizy.com/13483683947.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000117ef.bin
6e398ae88e2f5b2e9c1fc160a0bec8949428e680e5c677f57caf1513655d0723		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117EF 5844 bytes
font_01_sfnt_off00012bef.bin
b6b6cfc016c1d8c747ac90f7e39d49225b9d3b2299404efb98afe338554dcd26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BEF 11112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.