Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2119d20f90cb3db…

MALICIOUS

PDF

79.3 KB Created: 2021-03-17 13:04:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 14ae9bc2c7afc7246e9bf6060ba3aebe SHA-1: 8d7c3e4b17110b9192fea8226a817aaabf790201 SHA-256: b2119d20f90cb3dbf8173bef7cdf1a70a510cf4fc02d17c5c8ce05e1c474f982
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. An external URI pointing to 'leonvi.ru' was extracted, suggesting a phishing or credential harvesting attempt. While no scripts were explicitly extracted, the PDF structure and embedded URI are indicative of a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=manual+potato+chip+slicer
    • https://cdn.sqhk.co/wufevinek/gieihhg/41007228077.pdf
    • http://lightstart.xyz/how_to_use_milk_and_honeyrnalr.pdf
    • http://avit0.pro/nitisuzujawojumovafowuaq87w.pdf
    • http://bnatural.space/poulan_pro_leaf_blower_bvm200vs_manual7sykt.pdf
    • http://kinorio5.xyz/are_intps_attracted_to_infjsftvbl.pdf
    • http://sokfresh.fun/what_number_should_my_heater_be_onfa5ff.pdf
    • https://cdn.sqhk.co/tosilura/3XkxidU/pokemon_card_value_book.pdf
    • https://cdn.sqhk.co/vedimofaw/hhdjgie/probability_questions_and_answers_on_cards.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://5b3a2631-baab-4d1f-8161-183aa5bfd7a2.filesusr.com/ugd/5dc2b7_952a48d3219840b1a9343ad10f34afe1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/49c6a267-6975-4859-8613-979d495f9454/lujorimunewopoxos.pdf
    • https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_5f906645da1548a7be2a2c02ce4a3cce.pdf?index=true
    • http://xinozotaga.rf.gd/difamuvajenu.pdf
    • https://b2d1eea7-aef5-47fc-962c-88b5513ecafc.filesusr.com/ugd/3a57bc_662d12ea6c6d4d1e8124ba107e7d0523.pdf?index=true
    • https://uploads.strikinglycdn.com/files/030f79f4-885c-45a0-970b-ebb4365aa941/que_lleva_la_metodologia_de_un_proyecto_de_investigacion.pdf
    • https://s3.amazonaws.com/jajuzasalikirut/xiduk.pdf
    • https://s3.amazonaws.com/tawovojo/the_other_side_of_the_door_movie_watch_online_free.pdf
    • http://tirevotijo.epizy.com/upcoming_bollywood_movies_trailer_2018.pdf
    • https://uploads.strikinglycdn.com/files/e4f42ada-835e-4330-a224-609b1eb3e311/the_story_of_oj_lyrics.pdf
    • https://76c9fb28-c10e-4950-85be-37de24a2ede8.filesusr.com/ugd/fa32a6_01016ab6455443c99a2221ff158d3485.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6647a1e8-b27e-4f0b-9141-6fadf53b7ab9/pasedenoroxiniretibu.pdf
    • http://fopopuwefepa.rf.gd/dewalt_miter_saw_stand_dwx724_review.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eaaf.bin
c248fd0527ff3ebb72069dd83f0f3a3208a98283ae0d2ed3f8e232c8cc47f0c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAAF 4404 bytes
font_01_sfnt_off0000fa30.bin
4aa01fac86c92bd140ec387b2a85a1d0ec77ae042346b8a02226cd240b1b5aeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA30 5024 bytes
font_02_sfnt_off00010b46.bin
0f990e663a8ac057e584ba76dbea799bd46e195f3ae5c9ca6f75b1190e5a9216		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B46 10648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.