Malicious PDF — malware analysis report

Static analysis result for SHA-256 b465c77222fba446…

MALICIOUS

PDF

79.8 KB Created: 2021-02-21 06:21:42 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 699f58c566534e9d5e62e0116ed70810 SHA-1: 5b1de4bf497f918619153b0418048a1a1b0f98d7 SHA-256: b465c77222fba446b01cab67e16bf1c27955b9e0c9cf954cf4b6b644e00134e2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF with high confidence. The document body is heavily obfuscated, but the presence of the external URI suggests a phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/strik?utm_term=batman+killing+joke+joker+origin
    • https://cdn.sqhk.co/lekusovu/pjdjhoa/pibogezumekugofo.pdf
    • http://a1metromovers.com/playmobil_ghostbusters_cartoonp45a7.pdf
    • http://blockhcain.host/glacier_bay_pull_out_kitchen_faucet_repairvbwlf.pdf
    • https://cdn.sqhk.co/sexuzoropa/jjdhhii/train_simulator_2013_game_free_download_for_pc.pdf
    • https://cdn.sqhk.co/naxemikomeb/ggDSjeF/highest_mcat_scores_by_major.pdf
    • https://cdn.sqhk.co/mejeteboxav/cbhd5pJ/general_grievous_face_no_mask.pdf
    • http://vesibigezedenu.iblogger.org/47234281577.pdf
    • https://cdn.sqhk.co/xovikojux/zIihdIU/81940502505.pdf
    • https://cdn.sqhk.co/pixafosabow/hgjbdsZ/10414814732.pdf
    • http://rewita.fun/tugegy16bh.pdf
    • https://cdn.sqhk.co/gaxomawelej/iajcOha/khuda_haafiz_box_office_collection_hit_or_flop.pdf
    • http://cyberlife.store/android_ios_market_share_canadak8li8.pdf
    • https://cdn.sqhk.co/moviferu/ibibH3d/17105783914.pdf
    • http://emirofficialzm.com/reminder_email_formulieren_englischldjng.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://laxolivavaru.epizy.com/bizifulemibejaga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fbf2.bin
f067daac746af15b988bd7d76780290d807c9c05f1616b606f314ca1e7d3b9c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBF2 5016 bytes
font_01_sfnt_off00010cf6.bin
b09033452c3c97c36988f78be709b1133ca73a1454102adea8b6b9174b8a27ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CF6 11004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.