Malicious PDF — malware analysis report

Static analysis result for SHA-256 b47ed86f7c875631…

MALICIOUS

PDF

77.2 KB Created: 2021-03-17 09:57:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf1d0fb5a859697314b08c0d67e60395 SHA-1: 9e3a7a89842b87995b3d6651c6be1e25900bb3cb SHA-256: b47ed86f7c8756317d5c13d8accf5173904069dbea9807ab21f588e36710b8f9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious domain, identified as malicious by ClamAV and ML classifiers. The document body, though heavily obfuscated, suggests a lure related to 'live acoustic performance'. The presence of embedded URLs and the nature of the detection indicate a phishing or redirection attempt to a malicious site, likely to deliver a secondary payload or conduct further social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=best+live+acoustic+performance
    • https://lezanixopedem.weebly.com/uploads/1/3/4/8/134886347/xawimemifalebunevaba.pdf
    • http://kusawib.iblogger.org/93513681459.pdf
    • http://noxogejukebe.mypressonline.com/corpus_linguistics_for_elt_research_and_practice.pdf
    • https://lezanaxowap.weebly.com/uploads/1/3/2/6/132696506/3168156.pdf
    • http://manovina.mypressonline.com/91881629337.pdf
    • http://vazawujuzu.sportsontheweb.net/stevie_wonder_journey_through_the_secret_life_of_plants_album.pdf
    • http://volalagokiva.sportsontheweb.net/bernarr_macfadden_books.pdf
    • http://peromopativej.mypressonline.com/53450068275.pdf
    • http://vuvefezod.iblogger.org/wipifetevaruneda.pdf
    • http://busevabafumoje.iblogger.org/corbett_maths_factorising_worksheet.pdf
    • http://jabudapitu.scienceontheweb.net/what_is_the_best_roku_tv_brand.pdf
    • http://lamaded.mywebcommunity.org/zivimukowadirawulifanidu.pdf
    • https://vefibaxo.weebly.com/uploads/1/3/1/3/131379874/gafomipes-zifin-gigeworuz-vovebon.pdf
    • http://veruvipavopa.getenjoyment.net/44820548431.pdf
    • http://kimujedat.mygamesonline.org/classroom_management_in_urdu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8974ddca-53af-43c4-a601-177eef686739/what_is_the_theme_of_the_novel_tempest.pdf
    • http://xovolefewawex.atwebpages.com/libin.pdf
    • https://uploads.strikinglycdn.com/files/1ea864d9-a7cb-420c-b3b9-86e267779efc/how_to_trade_stocks_before_market_opens.pdf
    • https://dba0ca6b-c979-46b3-87c9-041648dee063.filesusr.com/ugd/6f58fb_69ac33c287604cb395736a21237c5376.pdf?index=true
    • https://ce2645ba-e89a-43d5-afff-5c0150757291.filesusr.com/ugd/c63dba_05087610d67b4e74b5748fddc3b4c2cf.pdf?index=true
    • https://8ecf7690-1f99-4e28-a4b6-3228ba9731d7.filesusr.com/ugd/63d3ad_b9f3fbc4a9d14d48a30ed4ab8e519e3d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0ef08df0-2163-49a7-9ee2-b32a28a9a91f/90964113346.pdf
    • https://uploads.strikinglycdn.com/files/653e9106-fc12-4ce3-9bb4-f4df9c21965f/dd_warforged_colossus_size.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efba.bin
261ebc230f9decb27b76b8aba0ba772c628e80c5208975297431e42c8955d44c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFBA 5268 bytes
font_01_sfnt_off0001019d.bin
72b2d47e71c398dca54398effea0728a13731901875d1e5434b2ab81357b6836		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1019D 11176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.