Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2615910efc0ea5c…

MALICIOUS

PDF

85.4 KB Created: 2021-06-01 06:30:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff776e3a4757e64f81c431237a7b847f SHA-1: d690410d0e809b98c4a0925b1004ed0a9afac065 SHA-256: b2615910efc0ea5c515c2429f4e9bf09006c5dfb81893d6959a3dec05416278a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a site offering a 'traders blueprint book', likely a social engineering lure. No scripts were extracted, but the presence of an external URI and the ML/ClamAV detections strongly indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/pbw?utm_term=the+traders+blueprint+book+pdf
    • https://cdn-cms.f-static.net/uploads/4410433/normal_603dd1a9e064e.pdf
    • https://cdn-cms.f-static.net/uploads/4384142/normal_60250af648827.pdf
    • https://cdn-cms.f-static.net/uploads/4416332/normal_602a2e4cdfbb3.pdf
    • https://cdn-cms.f-static.net/uploads/4365594/normal_601b69a8c3391.pdf
    • https://cdn-cms.f-static.net/uploads/4499005/normal_6033d051d4f7b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/678c1676-4bf2-4881-a799-fdcf8908e6e9/3255221931.pdf
    • http://palixazoke.pbworks.com/w/file/fetch/144428169/do_i_need_a_doctors_note_for_maternity_leave.pdf
    • http://tiduxikuve.pbworks.com/f/kurosi.pdf
    • https://uploads.strikinglycdn.com/files/18887c13-1488-4af8-92b1-b2b77371347f/when_will_disney_world_take_reservations_for_october_2021.pdf
    • http://zeladejan.pbworks.com/w/file/fetch/144442398/pofut.pdf
    • http://bevojoluvu.pbworks.com/w/file/fetch/144441255/46628190355.pdf
    • http://letonepamusi.pbworks.com/f/13233251567.pdf
    • http://xoxafepapesu.pbworks.com/w/file/fetch/144411768/mowivar.pdf
    • http://rujuboxu.pbworks.com/w/file/fetch/144440235/62766392548.pdf
    • https://uploads.strikinglycdn.com/files/dea34820-70fc-475f-8082-38be281c40fd/refegejifelurotogok.pdf
    • http://nikekuva.pbworks.com/f/dapamexibunuxokojabopu.pdf
    • http://wekibivu.pbworks.com/w/file/fetch/144441465/whats_the_real_feel_temperature_outside.pdf
    • http://finebov.pbworks.com/f/mini_militia_old_version_2015_apk_download_hack_apkpure.pdf
    • https://uploads.strikinglycdn.com/files/53181fd0-40d3-4334-834c-775758ffc5d0/tiger_rice_cooker_jbv-10cu_manual.pdf
    • http://zeladejan.pbworks.com/f/30050319288.pdf
    • http://wojipag.pbworks.com/f/13723566722.pdf
    • http://zabodovojif.pbworks.com/w/file/fetch/144427014/45355016136.pdf
    • https://uploads.strikinglycdn.com/files/36e745f8-35cf-4dd5-b268-1d544ca54b4a/47394009681.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010cc4.bin
8cb1970c6d925936ea440823e81962574a2a2bb31fdb70ca4d68b33cc1abb04e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CC4 5284 bytes
font_01_sfnt_off00011eaa.bin
5583823d27806d9cc41aa91c261b61deadf5d4f4a77b2006ac9674d37ad18429		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EAA 11680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.