Malicious PDF — malware analysis report

Static analysis result for SHA-256 b320313a0dfedaf3…

MALICIOUS

PDF

93.0 KB Created: 2021-03-08 22:49:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eddae270a6199fe85a642d61f9fb3f7d SHA-1: 6eeaa29c372616413c17ecc04f6b1ac9d890c430 SHA-256: b320313a0dfedaf36d6c9642fe5bd3b03f09b0c918a6f010d0502729afe10c29
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware distribution site. Although no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to exploit users through deceptive content, potentially leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=dbd+monitor+and+abuse+vs+shadowborn
    • https://xujuwoxevosu.weebly.com/uploads/1/3/4/8/134896670/3184097.pdf
    • http://tupaxeguna.scienceontheweb.net/kalawedidulabutosoxe.pdf
    • http://paselon.getenjoyment.net/against_the_grain_james_c_scott_audiobook.pdf
    • http://zanartcc.net/what_is_the_average_middle_class_income_per_yearf65c5.pdf
    • https://cdn.sqhk.co/serodozire/hdSDsia/3d_shooting_games_for_pc_free_download.pdf
    • http://mixit.info/17651963730aqu2y.pdf
    • http://saroforati.medianewsonline.com/pajifelus.pdf
    • http://wejuzofibab.medianewsonline.com/how_to_get_rid_of_red_acne_spots_on_face_fast.pdf
    • https://cdn.sqhk.co/dizoketa/jcMja3E/kylo_ren_lightsaber_toy_amazon.pdf
    • https://cdn.sqhk.co/padasagam/3nicQhe/murder_hornet_vs_wasp_size_comparison.pdf
    • http://pozufopajosel.mypressonline.com/how_do_i_replace_my_verizon_fios_battery.pdf
    • https://bukodebavuv.weebly.com/uploads/1/3/4/6/134657655/vunik.pdf
    • https://sukaxivex.weebly.com/uploads/1/3/4/8/134895869/7321449.pdf
    • http://copyrights-notices-helps.com/is_crime_and_punishment_goodgsioj.pdf
    • http://kelnoteres.xyz/pixel_survival_3_hack_1._18_multiplayerv7zde.pdf
    • https://metuliwilive.weebly.com/uploads/1/3/4/3/134386481/gofojopuxubupa_kenuxut.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zorijefugixor.atwebpages.com/44594131372.pdf
    • https://0f7a2101-273c-4f7f-b1fd-079d1ad923c1.filesusr.com/ugd/a7ea6f_d736502b67cf4209a1d9e63f3812a2e8.pdf?index=true
    • https://41c240d9-b4af-4f88-8fa4-2a41cce3a287.filesusr.com/ugd/01bc73_ea5036dfd378480fadaefc6259c15116.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010aa6.bin
1828cb5f5c61b7396c70902992dc7cc0c69f51808e72aee49edb4c093f1992e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AA6 3708 bytes
font_01_sfnt_off000117cb.bin
838fb96b5bbc94eece0632c23ef3ad3dfa24b5b32b7731b480a698f0933dff25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117CB 5324 bytes
font_02_sfnt_off000129c8.bin
25ade842fb0045d553368ea074f8d11e323ced11895de934500a006ea9eb819a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x129C8 11272 bytes
font_03_sfnt_off00015085.bin
8ed0161098d644b05834af96d0846dfdcb8a0cb1eef801e64eceda157818c26f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15085 16316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.