Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0b74b02df9597d4…

MALICIOUS

PDF

78.6 KB Created: 2021-03-29 04:52:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 658114e23174c0fc1169ef0031cb73fb SHA-1: 39fd797d3b932d8004f701922d20f2ec0fba070a SHA-256: b0b74b02df9597d4dd76b5fee642945ba0cd5f5adb5d8cbeb76729721aec372a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating the presence of external URIs and is flagged by ML classifiers and ClamAV as malicious. The document body, though partially corrupted, suggests a lure related to a 'destination b2 pdf key'. The primary IOC is the malicious URL found within the PDF, which likely serves as the initial point of contact for a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=destination+b2+pdf+key
    • http://love-cosmetics.shop/ppt_templates_free_with_animation70rd8.pdf
    • http://gnoogle.site/how_much_is_photoscape_x_pro6whpo.pdf
    • http://beststudent.space/capsa_susun_diamond_apkkmfp6.pdf
    • http://fumigatoff.online/96084931135mbawf.pdf
    • http://afracheat1.xyz/16384498509k3ihm.pdf
    • http://buvalopexur.mygamesonline.org/cambridge_english_pronouncing_dictionary_18th_edition.pdf
    • http://salonop.xyz/dulilu95dtq.pdf
    • http://rezolawanelu.sportsontheweb.net/activity_diagram_definition.pdf
    • https://cdn.sqhk.co/zurefaxenov/6NUqicU/glow_up_balls_for_bike.pdf
    • https://cdn.sqhk.co/lebapivi/jfmWihn/big_bang_song_lyrics_in_english.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://36fc1fe3-b646-4cc1-b6e9-de51469aea27.filesusr.com/ugd/3eb4bd_0caa383ed072448e90300580cc998373.pdf?index=true
    • https://e9593579-f51f-4dc6-af55-2543ab512b45.filesusr.com/ugd/37952c_36321773f6154eb7b141455d1e173dc3.pdf?index=true
    • https://f8b2de7a-6012-4721-b8f1-df5267d6bb95.filesusr.com/ugd/8ebb60_9e46c13812104e828eba076321c1bee8.pdf?index=true
    • https://21e323bd-7fdd-46e9-a6c7-4880e76d7610.filesusr.com/ugd/0a51c1_b5d47cb570684a888bad8671c346e315.pdf?index=true
    • https://1e16f6d7-285b-4488-bf07-d3e24ac90e20.filesusr.com/ugd/417718_76ca3e60d0ce4dd487ca394a996e0c1e.pdf?index=true
    • https://5f384421-c3d0-4b4c-85a6-d3745974446f.filesusr.com/ugd/40006b_d89be799c18b4101a1f4fea78e587760.pdf?index=true
    • https://b8436764-02b3-4471-8711-1e8fed235cf0.filesusr.com/ugd/3b3fbb_9bed2019dae44f28a1545bff09fef374.pdf?index=true
    • https://ee42ee57-4547-4a8c-8a66-6cccb7f6869d.filesusr.com/ugd/2a9ad2_e6c85f68af8e4c53908b7cfc18f3ed84.pdf?index=true
    • https://cee4a208-09ac-40e0-983f-4c2cc776acbe.filesusr.com/ugd/5ed537_d3685ca2c6bd47a5bb13c90d9f5d95fa.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3d0.bin
941b0300b452676dfef39ec10009de2a24efb083e6f654e83a5b5866e63ba0ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3D0 5344 bytes
font_01_sfnt_off0000f625.bin
961b992827a5261709ede18233d3362ae1f7c9feaba12f46beaa8255c881667d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF625 25768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.