Malicious PDF — malware analysis report

Static analysis result for SHA-256 b32132ce841fe8e7…

MALICIOUS

PDF

86.9 KB Created: 2021-03-22 14:21:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 66003e3414ee49914d53c23d6f4a99af SHA-1: be51a95936ef5f13eeddb2a32ef4da01d179b8b8 SHA-256: b32132ce841fe8e78077a988b6db1cd71c75ee0f7e92d6861d8a6a60ea243de4
76 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains embedded URLs, one of which, 'https://soxebez.ru/wix?keyword=www.hotmail.com.ar+iniciar+sesi%25C3%25B3n', is designed to mimic a legitimate login page. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests that the document may be part of a larger attack chain involving password-protected archives, further indicating a phishing or credential harvesting attempt. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=www.hotmail.com.ar+iniciar+sesi%25C3%25B3n
    • https://static.s123-cdn-static.com/uploads/4444123/normal_5ffda6bda3c4a.pdf
    • https://cdn-cms.f-static.net/uploads/4401558/normal_5fd1c50a9d8bd.pdf
    • http://neuroncraft.online/pozaxukolodugafazager8ice3.pdf
    • http://sokepazetovul.22web.org/zusidukeviz.pdf
    • http://winfreeiphone.xyz/local_area_network_lan_speed_testing_softwaregxnik.pdf
    • http://woodlesenka.ru/club_car_wash_corporate_officeuzzgi.pdf
    • http://itdomen.fun/fight_club_5_files757a4.pdf
    • http://digitalmicroteter.xyz/sap_inbound_delivery_serial_number_tablevrdd3.pdf
    • https://static.s123-cdn-static.com/uploads/4366369/normal_5fe3e58e235eb.pdf
    • http://fawejidiribap.22web.org/the_blue_book_of_grammar_and_punctuation_eleventh_edition.pdf
    • https://cdn.sqhk.co/xekowodu/iclijVq/87618254000.pdf
    • http://rcasino.info/2207923673q3ktc.pdf
    • https://static.s123-cdn-static.com/uploads/4485152/normal_5fe00257a0d7c.pdf
    • http://xisulekotitis.iblogger.org/lg_inverter_v.pdf
    • http://iwhite.space/tugimelezorr44qq.pdf
    • https://cdn.sqhk.co/fivuwunar/igjfhgH/14935968321.pdf
    • https://cdn-cms.f-static.net/uploads/4445128/normal_6046db7907399.pdf
    • https://cdn.sqhk.co/valujoper/uAeghgi/57654300510.pdf
    • https://cdn-cms.f-static.net/uploads/4486984/normal_604e57c096ea2.pdf
    • https://static.s123-cdn-static.com/uploads/4464521/normal_5ff55067468d7.pdf
    • https://static.s123-cdn-static.com/uploads/4366956/normal_6004b15c73a7f.pdf
    • https://cdn.sqhk.co/xokebuzizo/tiahebD/livapadajotani.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://mesobuze.epizy.com/kuliwoxafelixufu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc34.bin
7a74e48299c4e39386e005b135fddd107a2be68ae21038a7697d066a91f183cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC34 5100 bytes
font_01_sfnt_off00010d26.bin
f101fc3023143cbc24e87e2583c027b8b5ab7dfb9504abb66ff99af634bcdac9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D26 1804 bytes
font_02_sfnt_off00011601.bin
cc46e4ca0dc1f30efd6125ed43caebd015dafd4310961cedc6eeab34297bb0ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11601 12132 bytes
font_03_sfnt_off00013dc0.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13DC0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.