Malicious PDF — malware analysis report

Static analysis result for SHA-256 b362d2fa7db4c649…

MALICIOUS

PDF

156.9 KB Created: 2021-03-31 13:16:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eb5604a96876ffd0c3df07c5fa404a68 SHA-1: 0e7ea03c00ab0bbe9423b8d34573d48605ed504c SHA-256: b362d2fa7db4c6494a4dee702c7fc5972a4b8707789d64dbf6dede4231636602
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URI pointing to a suspicious domain, which is likely used to deliver a secondary payload. The document body, though heavily obfuscated, suggests a lure related to educational materials to trick the user into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9699

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=phonemic+chart+with+sounds+pdf
    • https://cdn.sqhk.co/lidabofob/cIge4yJ/wajomeraxiwunewew.pdf
    • http://neriwor.medianewsonline.com/24836399358.pdf
    • https://cdn.sqhk.co/kanereneb/jgbjgrH/36468832899.pdf
    • http://martakkord.ru/totarez5krgv.pdf
    • http://kovatafob.mypressonline.com/sosujiboxanevanunawuv.pdf
    • http://zdorovie-vashe-vse.xyz/what_is_the_best_time_for_squid_fishingq05h9.pdf
    • http://teachost.com/sequence_worksheets_for_grade_67m32m.pdf
    • http://vorgazme.com/nizaxtnl49.pdf
    • https://cdn.sqhk.co/xinoxoxojib/esChejA/belawanizisamezubopon.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • http://www.daltonmaag.com/
    • https://4123e755-5e7e-4fb8-b167-49ba90d37259.filesusr.com/ugd/fd3290_491ca7ed8a984e1bac63171c108a5211.pdf?index=true
    • http://fabonejane.onlinewebshop.net/stages_of_hematopoiesis.pdf
    • https://61df3396-90b5-4b69-a3ae-475c9da6ebc5.filesusr.com/ugd/516574_49e51016166e4346b238c1f8c288c987.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dca3c36d-015c-4925-8ae6-66435a815c8f/what_is_a_1971_ford_mustang_mach_1_worth.pdf
    • https://uploads.strikinglycdn.com/files/dcdef569-95d8-461c-8bac-3f97fcf265d9/wordpress_download_images_from_media_library.pdf
    • https://uploads.strikinglycdn.com/files/4b528dbc-1995-42cf-a5a8-5bb34fc22f75/wezatixosunuwo.pdf
    • http://zulolabopel.myartsonline.com/25381330460.pdf
    • https://uploads.strikinglycdn.com/files/6887a2b2-29d6-4eae-80f7-7b546ba994bf/39930650925.pdf
    • https://af0fe010-594a-4ec7-a26b-e2d78e33490d.filesusr.com/ugd/7d2910_0b66de13c7424d638264092ca1798206.pdf?index=true
    • https://03386fec-e341-46be-bf9f-2f2bd19f9bfe.filesusr.com/ugd/bf57b5_ace0dfa8510a4775b8606c3b29fe48ef.pdf?index=true
    • https://b615eccc-4413-4b1d-8109-ede925130a83.filesusr.com/ugd/0994f9_7c266885601348dd8f30e0587a4b31a1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/lgpl.htmlRegularDanhHong
    • http://www.geocities.com/dnhhng
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00019818.bin
ce0ea65e949dc5062ac7954cc64747dbcc67832053da7203b1ecc810f9b2cad9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19818 5336 bytes
font_01_sfnt_off0001aa0b.bin
bffdd3df35f27fa4072d99ed955eae36933defe66f7e260648fdc4b6417b8c08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AA0B 42028 bytes
font_02_sfnt_off0001f83c.bin
e4e6c98553d6efef3ed02bc8882442c9a818dd35dc8986b6f0485933f2d8c004		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F83C 6980 bytes
font_03_sfnt_off00020afd.bin
95727e714d0d26903802aa201524dbb563b9878ea2714a601712c582dc477e46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20AFD 17864 bytes
font_04_sfnt_off00023fb1.bin
757edbe9ca696dc752e8794cc2fab55b744a24b197aba41abea0c8f583a0f3ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23FB1 16116 bytes
font_05_sfnt_off0002548d.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2548D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.