Malicious PDF — malware analysis report

Static analysis result for SHA-256 b54e787b477ead73…

MALICIOUS

PDF

73.2 KB Created: 2021-03-20 08:41:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 24fcf9529dfc47428c8133ac64228171 SHA-1: d066db99bdf05045922c4630c157fd2518ff7e97 SHA-256: b54e787b477ead73af31913e6ef769fd2890b4e5ffc0bec3bc448694adc7bc84
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that directs users to a website likely intended for phishing or malware distribution. ClamAV detection and ML classification strongly indicate malicious intent. The embedded URL, https://leonvi.ru/wix?keyword=relic+watch+manual, is the primary indicator of this phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=relic+watch+manual
    • http://betmoy54.com/xuvoxii9p9a.pdf
    • http://stylecurtains.com/multiplier_par_10_100_ou_1000_ce2qt69f.pdf
    • http://appletopshop.ru/896726866841wgcn.pdf
    • http://sawemawe.mywebcommunity.org/71807330100.pdf
    • http://clubstore.info/26380979909brxza.pdf
    • http://starkrobotics.org/94897470953m3bm9.pdf
    • https://cdn.sqhk.co/bitaxukezor/FMVjigf/rezaxivodakije.pdf
    • https://cdn.sqhk.co/xurinuwame/mJ2ifif/15689306067.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://98350ace-7ac4-4f38-a9d9-579fdad8050b.filesusr.com/ugd/9b2d9b_3379e199d52346f9adbedbd741816ad7.pdf?index=true
    • https://s3.amazonaws.com/pogolo/why_wont_my_samsung_tv_connect_to_the_wifi.pdf
    • https://68420551-d949-41c4-975b-2ae86aa6d062.filesusr.com/ugd/09c3c7_8724e23a2bbf4299af6854c8ad3931ec.pdf?index=true
    • https://s3.amazonaws.com/lefemijip/83938273326.pdf
    • https://52f9d6e5-2fd5-4906-a030-4d12f703b62a.filesusr.com/ugd/297ecd_d9ea1407bbef4a7f9ea46ec588ba5a63.pdf?index=true
    • http://davinawoguzag.atwebpages.com/tituluwosirakuvu.pdf
    • https://16dc6c2a-32e3-4a69-9eea-5b59d93654f8.filesusr.com/ugd/176c29_e3382ee17b5c418e95587c3003e24c2f.pdf?index=true
    • https://s3.amazonaws.com/jefobexapulow/candida_albicans_pathogenesis.pdf
    • https://s3.amazonaws.com/dixaleko/82576955365.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2df.bin
bd95583333b6869b386c3bd5747d2238fed044cfef3f78b18c715d74b14d41e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2DF 4864 bytes
font_01_sfnt_off0000f35b.bin
44ee9628c0338bc7ed658015b91938cf45fad3e32b98b1d8d585f3daf1567239		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF35B 10932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.