Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4c1dca314b18eec…

MALICIOUS

PDF

83.3 KB Created: 2021-02-28 11:42:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 19e03051b1a083221720f6c27738f710 SHA-1: 22c51d5d3b1f8cae38d71a940db50b25b99fa327 SHA-256: b4c1dca314b18eecfe62b2a7e193a7b2e8750ee255c0165be12d7e4336b592eb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains embedded URLs, one of which is flagged as suspicious and potentially malicious. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to contain text related to product reviews, suggesting a lure to disguise the malicious nature of the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=whirlpool+4.3+top+load+washer+reviews
    • http://ygrash.website/salunivapavo4rjio.pdf
    • http://botanilix.mygamesonline.org/element_tv_codes_for_xfinity.pdf
    • http://vovpomnim.ru/free_template_cv_creativehj4ov.pdf
    • http://sowoxapexemex.sportsontheweb.net/55071081177.pdf
    • http://kedugobepuged.mywebcommunity.org/gomiwesebegezijudewum.pdf
    • http://kirakexig.mypressonline.com/berenstain_bears_youtube_episodes.pdf
    • http://runaxok.iblogger.org/colon_and_semicolon_worksheets_high_school.pdf
    • http://lynciguest.com/vizio_s3821w-c0_remote_codep16j9.pdf
    • http://xejepurefe.scienceontheweb.net/2013_dodge_charger_rt_daytona_specs.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kakef/china_visa_application_form_botswana.pdf
    • https://s3.amazonaws.com/bezorito/nukujipibameruposudulup.pdf
    • https://s3.amazonaws.com/xalexojaxipud/88132007035.pdf
    • http://dafevuzadolax.epizy.com/95169082425.pdf
    • http://revupeponalewuj.epizy.com/galaxy_s9_plus_review_android_central.pdf
    • http://residarifuwus.rf.gd/xeduwib.pdf
    • https://s3.amazonaws.com/fezenur/kayle_guide_9._23.pdf
    • https://s3.amazonaws.com/gapuruxumeg/rajodonu.pdf
    • https://s3.amazonaws.com/bovenotojitowe/2004_dodge_ram_3500_owners_manual.pdf
    • http://juwelaloz.epizy.com/xebimabuzufifilupix.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010823.bin
79961a29fa7c4168329561b5636b21475d3ee9115c63d6aa58984002ab0001f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10823 5496 bytes
font_01_sfnt_off00011af4.bin
285bba091ad870301d5db48e26ccee7148817c1d6dc2ea35536dbb7dcb9e1935		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AF4 10780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.