Malicious PDF — malware analysis report

Static analysis result for SHA-256 b293c6ea0dc7790c…

MALICIOUS

PDF

84.2 KB Created: 2021-03-30 21:43:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f47a3eb142bf77c8a01251fdd75f825 SHA-1: 97c1935b2c15d5963c6cb6df2eff68a7158768e2 SHA-256: b293c6ea0dc7790cff834f90ba1aded1d075c9125b3c3e843443e494987f9af8
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The document body is obfuscated but the presence of external URIs and the 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggest it is designed to trick users into downloading further malicious content, likely for phishing purposes. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=no+es+lo+mismo+chistes+para+ni%25C3%25B1os
    • https://cdn.sqhk.co/bulixanejad/ShbfIjh/movub.pdf
    • http://harkateine.fun/mary_did_you_know_piano_sheet_musict57n1.pdf
    • http://jalazekesofijot.medianewsonline.com/janalafanewolaropinerejuf.pdf
    • https://cdn.sqhk.co/lixabanitav/bahiNaI/41992477584.pdf
    • http://ideal-it.fun/nokefutukyvcbr.pdf
    • https://cdn.sqhk.co/fazofasufiwu/gh3Migm/40008424012.pdf
    • http://pifowovumuwe.medianewsonline.com/12023786530.pdf
    • http://sdorovie-sustavi.xyz/55576485987bjdfq.pdf
    • https://cdn.sqhk.co/bodegife/hjhd1ib/body_building_photo_editor_apk.pdf
    • http://nekidifuton.medianewsonline.com/pattern_oriented_software_architecture_volume_1.pdf
    • http://axacheat4.xyz/53486514035xovv8.pdf
    • http://medicalpracticementor.com/hp_laserjet_pro_400_m401dn_ink_cartridgezp86l.pdf
    • https://cdn.sqhk.co/nufesewepi/jj0766i/nulesapatebudopaxufev.pdf
    • https://cdn.sqhk.co/kajojetugap/gilVsib/gisureka.pdf
    • http://lowabunuzoxa.getenjoyment.net/complete_list_of_ncaa_banned_substances.pdf
    • https://cdn.sqhk.co/gujadozede/jijGjeL/92909035105.pdf
    • http://alphabitx.com/378915606911i1tk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sukokovevaz.atwebpages.com/bomag_bw65h_parts_manual.pdf
    • https://s3.amazonaws.com/jedadokuti/vunilavarinizonogupupovim.pdf
    • https://s3.amazonaws.com/galinikagopit/stock_investing_for_beginners_john_roberts.pdf
    • https://s3.amazonaws.com/faluzotixupi/gerimabuxub.pdf
    • https://s3.amazonaws.com/xamapebonijos/76851484632.pdf
    • https://s3.amazonaws.com/dojivewobasuval/61880302495.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4a8.bin
e9806650a06d6b8075e7223eeb76242214dafd53b99168cd754c2ccd8c75d682		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4A8 5352 bytes
font_01_sfnt_off00010672.bin
e8a22a1adca6c4e192b8075c57db7f159ab6feb0516202d0388cbfa163b3c68c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10672 10892 bytes
font_02_sfnt_off00012c02.bin
6c511cd2548aab1566dad8f54fccf2be4cd056cf5a4d5d56937977fde9165995		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C02 16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.