Malicious PDF — malware analysis report

Static analysis result for SHA-256 b417ce45c2fc34e9…

MALICIOUS

PDF

81.5 KB Created: 2021-03-26 15:24:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b7ab2dfac5a26fd72cbf08534244f8a0 SHA-1: 2f509a734180e5e006dd85bf2f4cbb69480616cc SHA-256: b417ce45c2fc34e9983e3b0bb342ebc08c18c16175d3ad797056b5de73a1eb2b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by ClamAV as Pdf.Phishing.Trojan. The ML classifier also strongly indicated maliciousness. An external URI pointing to 'soxebez.ru' was extracted, suggesting a phishing or malware distribution attempt. While no scripts were explicitly extracted, the PDF structure and heuristic firings indicate it's designed to trick users into visiting a malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=st+joseph+cemetery+massillon+ohio
    • http://presente-top.store/powapixopu8abpx.pdf
    • https://static.s123-cdn-static.com/uploads/4386333/normal_5ff4262230250.pdf
    • http://form-lnstagramcopyrightservices.com/what_causes_fluid_filled_bumps_in_mouthwbebh.pdf
    • https://cdn-cms.f-static.net/uploads/4451950/normal_6010d2d892c34.pdf
    • https://cdn-cms.f-static.net/uploads/4477138/normal_60599d2d11958.pdf
    • https://cdn-cms.f-static.net/uploads/4499635/normal_602164f1ac7c1.pdf
    • http://paksorond.xyz/danielle_steel_neighbors_vk7tt8z.pdf
    • https://static.s123-cdn-static.com/uploads/4462974/normal_5feb9cc928c78.pdf
    • https://cdn-cms.f-static.net/uploads/4466143/normal_603557083c37a.pdf
    • http://ighelpcenter.xyz/gefuwanokinguzaa.pdf
    • https://cdn-cms.f-static.net/uploads/4366010/normal_601dfc1fcdb0f.pdf
    • http://yandex-delivery.cc/fee_management_system_project_reportbwvv0.pdf
    • http://rafale.store/91252699428slnsq.pdf
    • https://cdn-cms.f-static.net/uploads/4370319/normal_6051231bccefe.pdf
    • https://cdn-cms.f-static.net/uploads/4444622/normal_6047cd51c85fd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/zowibatev/symantec_vip_self_service_portal_accenture.pdf
    • https://s3.amazonaws.com/dekogamik/harry_potter_hogwarts_acceptance_letter.pdf
    • https://uploads.strikinglycdn.com/files/0fd33013-bb0a-4a80-98f0-0c14ecc71cd5/6.0_powerstroke_oil_cooler_torque_specs.pdf
    • https://s3.amazonaws.com/fobupojowojon/mcgraw_hill_spanish_1_answer_key.pdf
    • https://s3.amazonaws.com/lorugipopuxe/32393649161.pdf
    • https://uploads.strikinglycdn.com/files/8dce2c7b-ce77-4305-9d10-6a9fa39d5460/plantronics_bluetooth_headset_charger_cable.pdf
    • https://s3.amazonaws.com/memexelu/56268799538.pdf
    • https://uploads.strikinglycdn.com/files/f6ae8bae-e606-4e4c-9693-e8212a70cd5a/how_does_epsom_salt_draw_out_splinters.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebc6.bin
61750394aca7df446d85604786f09f883922d4043edfb6f7ddea864b9c5d8db0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBC6 5244 bytes
font_01_sfnt_off0000fd75.bin
f46c1f92e8e9c4cf3b1c912c296e54ba9473aa8f8196d38c0025c7c91682820a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD75 14236 bytes
font_02_sfnt_off00012aaf.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AAF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.