Malicious PDF — malware analysis report

Static analysis result for SHA-256 b25e40a5f9fcdbb3…

MALICIOUS

PDF

79.6 KB Created: 2021-03-12 10:15:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c2deb43437d7bb09446c3564db2f26e2 SHA-1: 2a77f95b4ad556b1b9b92d95c42e9f38b6f0becc SHA-256: b25e40a5f9fcdbb3ffbd0d431b2305d7688c4adc4f17782104c1301c4c081c9c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing attempt. It contains embedded URLs that likely lead to malicious content or further infection vectors. The document body, though heavily obfuscated, suggests a lure related to a 'gardening guide', which is a common tactic for phishing documents.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=wild+arms+3+gardening+guide
    • https://cdn-cms.f-static.net/uploads/4454184/normal_603e25dbe8f22.pdf
    • https://static.s123-cdn-static.com/uploads/4530070/normal_5fc65ef82add3.pdf
    • http://farvestnn.ru/twilight_saga_breaking_dawn_part_1_full_movie_download_hdzwlkk.pdf
    • https://cdn-cms.f-static.net/uploads/4501212/normal_603ef2c4a5a4a.pdf
    • https://static.s123-cdn-static.com/uploads/4391327/normal_5ff270864bbc6.pdf
    • http://vvd.bar/8569334236040kyl.pdf
    • http://teenagetutor.online/7789961356jql3e.pdf
    • https://static.s123-cdn-static.com/uploads/4386347/normal_5fc89b13e10af.pdf
    • https://static.s123-cdn-static.com/uploads/4473415/normal_5fe400b12dfb8.pdf
    • https://cdn-cms.f-static.net/uploads/4427293/normal_600f26a88e998.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e42ce0b3-f376-4cb5-9abe-507fdbb9570c.filesusr.com/ugd/603474_bdb06dd9b63647589bd2170886de4b45.pdf?index=true
    • https://3789e5f8-265e-48cd-8836-241a044b7ceb.filesusr.com/ugd/45ef7e_06b1e7ebb43e4cbb9390a7fb6d37b4be.pdf?index=true
    • https://8772a198-af03-49ef-8724-5feb7546cb8a.filesusr.com/ugd/436f04_38ba5ea4df0740ef874cdabd91ee4e75.pdf?index=true
    • https://e25b7b56-d8f7-44cb-9276-56428e53d1cc.filesusr.com/ugd/63f3e8_58a5d0195094434c82c0c5eaef43b5e0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/532cbe61-577f-45f3-b83d-40ed057d7ecd/adverbs_always_end_in_ly.pdf
    • https://uploads.strikinglycdn.com/files/879f8031-d637-4c1b-8f3f-3a7060f0323f/nirogizalefadigixajone.pdf
    • https://s3.amazonaws.com/defipedibe/background_psd_wedding_album_free.pdf
    • https://uploads.strikinglycdn.com/files/8fc24f16-88a4-46a4-8b6b-82347db97862/78674405295.pdf
    • https://s3.amazonaws.com/nemafu/27433831877.pdf
    • https://a4758657-6aaa-4003-b0f6-1957e800abfd.filesusr.com/ugd/70c1f8_4217fa26dc9644f189ffcb77cb3f69fd.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000faaa.bin
64a975bea28024d3c35f85851260bc982e7e55d9e001c02a147f12db39d316d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAAA 5324 bytes
font_01_sfnt_off00010cb3.bin
84130a90780dee45bbc29369c062e7574d150007e1f5c4c8b537103164a786fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CB3 10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.