Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4aa9b1e4531b0bd…

MALICIOUS

PDF

217.2 KB Created: 2021-03-18 14:10:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4114a07bacf6a4b00a18b9a030ca2653 SHA-1: e6bfb527bd74c48ae1c231eeaf119f860efe1bdf SHA-256: b4aa9b1e4531b0bd4e298f23d4a6fcaa85b39aa5c416104677cf87225b68e06a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, likely intended to host a phishing page or download further malware. The document body, though heavily obfuscated, suggests a lure related to 'Sow thought pathfinder'. No scripts were extracted, but the presence of external URIs and the overall malicious verdict strongly suggest a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9839

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=sow+thought+pathfinder
    • https://torevoxun.weebly.com/uploads/1/3/2/7/132712334/xozakewotirurami.pdf
    • https://bulurumuz.weebly.com/uploads/1/3/1/1/131163623/lafej-pexawupozuv-bixarirum-lumofiratedimot.pdf
    • http://alisaborodaenko.design/jadafoditep72v0.pdf
    • https://narofuputukate.weebly.com/uploads/1/3/4/5/134585455/8628693.pdf
    • https://cdn.sqhk.co/tabuguran/aijhe0q/88500368295.pdf
    • https://zavomejuguz.weebly.com/uploads/1/3/1/1/131163615/71e5c61914d.pdf
    • http://discount50it.pro/getedugodefekanapqcdmm.pdf
    • https://xabomipa.weebly.com/uploads/1/3/4/4/134484571/6279ed470f879.pdf
    • https://fopaxiguvoxux.weebly.com/uploads/1/3/4/5/134584781/rakunowupebavosesu.pdf
    • https://cdn.sqhk.co/jadizefon/hav1jd4/20200231906.pdf
    • https://wobipogipexiwom.weebly.com/uploads/1/3/1/0/131070125/bbbc5f1151c5a.pdf
    • https://cdn.sqhk.co/wojidumezu/mhhWiei/fudovepu.pdf
    • https://debesawoxud.weebly.com/uploads/1/3/0/7/130775383/7955565.pdf
    • http://amorexpo.com/dupiwitesozurumuvonudenujb1kbr.pdf
    • http://robertferrell.net/english_short_stories_for_intermediate_learners_downloadcg36n.pdf
    • https://cdn.sqhk.co/dasupejej/lhfhahg/kiregimexibotug.pdf
    • https://jexedijelewa.weebly.com/uploads/1/3/4/5/134518212/kusobawuwub_risomer.pdf
    • http://feedbacrnz.space/kawasaki_engine_warranty_periodir1tz.pdf
    • https://cdn.sqhk.co/wodegamido/jVhhiji/43444599221.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/aaf178e5-11b0-439d-b06d-1a5547347ae8/zisuwififabadom.pdf
    • https://uploads.strikinglycdn.com/files/90528f19-500b-44e3-b2df-12758b82803d/96656343971.pdf
    • https://uploads.strikinglycdn.com/files/779e1fde-f16f-41f0-ab44-17c302c73b42/zoxojoxevebutedewuwuvik.pdf
    • https://uploads.strikinglycdn.com/files/6e490598-3eb0-4bef-8de8-19ea4e89c259/what_are_the_five_arguments_for_the_existence_of_god.pdf
    • https://uploads.strikinglycdn.com/files/545c264d-a208-4ebc-b799-21deb3bd4615/big_nate_blasts_off.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00031e4a.bin
3128dfdfa0f82ed04f6eb1311786ba147f153e8190ffa2c6030ad6ff30e05acc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31E4A 5288 bytes
font_01_sfnt_off0003305f.bin
ddf01d5c25a1027072d6853b45d1b1bd5cf96978b5bed884ac590ab0ff640629		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3305F 10592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.