Malicious PDF — malware analysis report

Static analysis result for SHA-256 b13fc0db5bced175…

MALICIOUS

PDF

77.3 KB Created: 2021-03-29 22:11:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 20e410e597a89a604c0099f87845557a SHA-1: ec086de3dbea3dd022920ac0624029fef3c296c5 SHA-256: b13fc0db5bced1752f7bc0ea3b0576590731591eead7d504636facd2e1631556
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV. It contains an embedded URL pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to language origins, likely to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=where+did+the+navajo+language+come+from
    • https://cdn-cms.f-static.net/uploads/4369908/normal_5fe8cf05cf499.pdf
    • https://cdn-cms.f-static.net/uploads/4416665/normal_5fe811895cae9.pdf
    • http://biomaniix.website/nabixazi8vu1h.pdf
    • https://static.s123-cdn-static.com/uploads/4379851/normal_5ff7a7c386f9e.pdf
    • http://hookup158.fun/saat_kavram_parmak_oyunutt8t4.pdf
    • https://cdn-cms.f-static.net/uploads/4495525/normal_6050dc4010bfd.pdf
    • http://vewedomodisex.22web.org/music_sheet_notes_names.pdf
    • http://satogolijosefas.iblogger.org/minuponeru.pdf
    • http://tesocoin.online/mars_mars_game_characterslgs79.pdf
    • https://cdn-cms.f-static.net/uploads/4369310/normal_602a353560c60.pdf
    • http://wifisef.medianewsonline.com/disadvantages_of_social_media_for_business.pdf
    • http://lupelisizi.medianewsonline.com/bilinabegutawiw.pdf
    • http://opencabinets.xyz/fedloan_forgiveness_disabilitylj2aj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3e0c42a1-3848-4e72-a2b5-f0fd43fd55c0/conversion_de_milimetros_a_pulgadas_en_herramientas.pdf
    • http://merovuditipin.onlinewebshop.net/fekupu.pdf
    • https://fccd5518-64e1-462d-9dbe-8d8d8a19ca7a.filesusr.com/ugd/eb005d_7ccc3d78ca14447ead38fd16bee8b63a.pdf?index=true
    • https://6acf0ca1-aa41-4771-8b91-54baff69ee7f.filesusr.com/ugd/7d1dc9_2281d87ef8d74914b70f6094ec9adb61.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1cd66325-ed95-44e0-9088-90a01f02ce57/what_is_the_synonym_of_ordinary.pdf
    • https://uploads.strikinglycdn.com/files/75a81259-247a-42e1-8242-e00aa89c5e15/28864917765.pdf
    • http://defozuwonig.rf.gd/zosunudanivonunefigut.pdf
    • http://babudenipovux.rf.gd/12315740795.pdf
    • https://uploads.strikinglycdn.com/files/dadc6ea9-9b53-4c21-92a9-47a5a613c27f/delonghi_portable_air_conditioner_with_heat_pump_costco.pdf
    • http://jamenajiko.myartsonline.com/45421819389.pdf
    • http://zekezixurul.onlinewebshop.net/gavilesiz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efbc.bin
1cd55d3db6f53fda1cb4f0407cee7159f5ef324f1111185e93b4a6ca19b855ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFBC 5404 bytes
font_01_sfnt_off00010212.bin
7970f48afb1b0e73265d0e06f6f130b7cd18f36b95c7140d9d27eb8717832dca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10212 11080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.