Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4c7d6de8cc4f970…

MALICIOUS

PDF

93.1 KB Created: 2021-03-16 17:07:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 652b2f44e922ebc295a017fd81f7110f SHA-1: d61c0fcdebceaa5c1055c2d26a2396649bcc1160 SHA-256: b4c7d6de8cc4f970fc610e7ecdf130f614b4280e89793ad171a13ad6f18e44c2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious domain, identified as malicious by ClamAV and a machine learning classifier. The document body, though heavily obfuscated, suggests a lure related to a 'beginner's guide'. The presence of an external URI indicates an attempt to redirect the user to a potentially malicious site, likely for phishing or to download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=fo4+horizon+beginners+guide
    • http://domobifotuza.sportsontheweb.net/150_ml_de_agua_a_gramos.pdf
    • http://wotubodedokejag.iblogger.org/funny_books_for_young_adults.pdf
    • http://sotipidikukunow.getenjoyment.net/jovofobijajexopiwolulotuf.pdf
    • http://fipupibiveni.iblogger.org/event_ppt_templates_free.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2bce444d-cf24-434f-9d85-0ceb6f84b2e4/ipod_touch_5th_generation_price_canada.pdf
    • http://gotakedadonere.rf.gd/chemical_bonding_worksheet_chapter_6_review.pdf
    • https://uploads.strikinglycdn.com/files/623ac38e-d542-4b75-b24d-2ce04d01917f/942287032.pdf
    • https://uploads.strikinglycdn.com/files/9084abd6-29a7-432c-9f90-9152a08bc5df/waring_pro_waffle_maker_costco.pdf
    • https://uploads.strikinglycdn.com/files/9a27811b-34ed-4565-8eec-cc157148e92e/23872252946.pdf
    • https://uploads.strikinglycdn.com/files/3ebe2ab3-5c66-4a45-8010-2b0bc98a62cc/romance_sans_paroles_mendelssohn_partition.pdf
    • https://uploads.strikinglycdn.com/files/26e1b973-4e24-4a3b-a9b8-0ab77fa1fd9f/how_to_do_stocks_exchange.pdf
    • https://uploads.strikinglycdn.com/files/5e8dd7b8-68e1-4a0e-9b7a-f8252f58fc5d/zodat.pdf
    • https://uploads.strikinglycdn.com/files/f0878f7f-3cc6-4151-b4af-c29646f0a8e8/how_much_does_a_yamaha_r6_cost.pdf
    • http://mevetilozavasep.epizy.com/sheets_api_v4_javascript.pdf
    • http://ludoxijijux.rf.gd/wuwapa.pdf
    • http://kamabutexukawiv.rf.gd/wupaxutegitu.pdf
    • https://uploads.strikinglycdn.com/files/d06d8f8f-74bc-4b3f-8a88-9bdfcc144857/mopupef.pdf
    • https://uploads.strikinglycdn.com/files/7fed01e3-249f-4ee5-a6a4-2cfa04ffc490/casio_illuminator_watch_alarm.pdf
    • http://dapewujekim.epizy.com/2018_maserati_granturismo_mc_coupe.pdf
    • https://uploads.strikinglycdn.com/files/c1d04075-1987-481f-b9df-89125ac7b8de/nabagamu.pdf
    • https://uploads.strikinglycdn.com/files/d15e26be-85f3-4e58-a372-748799874f7a/89623742182.pdf
    • http://bozagasixafovo.atwebpages.com/categorical_frequency_distribution.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012eb9.bin
87a7e25541dac27c28253bef440f0d30954abc9d0570acefbe4a28038f7cb9a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EB9 5080 bytes
font_01_sfnt_off0001400b.bin
0a78c2b46946c480058e37d7419b5fd1c9ebe1239c0064fa32a54d80cc9b492d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1400B 11084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.