Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5f27d1054302135…

MALICIOUS

PDF

68.8 KB Created: 2021-03-11 20:56:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 61f7cab5a53bea70aed5d12d1a839d32 SHA-1: 13d006f9df2147932d0196f101a7726ca77eea2c SHA-256: b5f27d1054302135bd329a50be88609be91973f4e295977622cb7ff654252994
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URL that leads to a suspicious domain, likely intended to host a malicious payload or redirect the user to a phishing site. The document body, though partially corrupted, suggests a lure related to a "Chelsea pto manual".

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=chelsea+pto+manual
    • http://kobivoweder.mypressonline.com/what_does_black_ribbon_symbolize.pdf
    • https://cdn.sqhk.co/lesasafo/Sgmhiie/zirovi.pdf
    • https://cdn.sqhk.co/jutalufelex/Rjgggwh/niwebegebigowixizedur.pdf
    • http://xexogafuko.22web.org/mizupuzoxaruxarupu.pdf
    • https://cdn.sqhk.co/zumedizojas/jbia6wj/sugilaxizodad.pdf
    • http://powajaxib.medianewsonline.com/rodikosezupezarega.pdf
    • http://bisipatelaloguj.66ghz.com/glioblastoma_multiforme_grade_4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://02ee9779-94d6-4ec7-959f-c0f99fe19a35.filesusr.com/ugd/cdc607_140988590e614da1afca403611f46fe4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/dfe08a21-4d2c-49c0-b6c0-2339187698c9/ewi_5000_vs_4000s.pdf
    • http://vujapoguxesak.myartsonline.com/motorola_arris_sb6141_setup.pdf
    • https://uploads.strikinglycdn.com/files/ed617a13-beef-4fba-bffa-c469e13b1156/vimopurolonawapupanunil.pdf
    • http://rowomasogig.epizy.com/lord_i_need_you_chords.pdf
    • https://uploads.strikinglycdn.com/files/47e9b968-29c1-4de6-a5fe-606bb4ae34a3/wasorokuni.pdf
    • http://tagijonegularol.myartsonline.com/rovon.pdf
    • https://a8a2d6b8-6248-42a0-90a4-e25e421c2e59.filesusr.com/ugd/f63f29_c232f36ab8d44a519f98780fba0ed151.pdf?index=true
    • http://didiwufujoloj.rf.gd/jorokuriroxaripili.pdf
    • https://b595a6f9-6bcb-48d8-acfc-7cb8c696cf55.filesusr.com/ugd/21f311_c4e1981f6fdb4e1f9f7b6038b959bb66.pdf?index=true
    • https://4b67404f-136a-46a0-9cf3-151f2d38faab.filesusr.com/ugd/241fd5_b5d1791c8a23497e90b601e205ad7f8b.pdf?index=true
    • https://fe426b01-1dd0-498a-b08e-7ec37e320b94.filesusr.com/ugd/6b45f0_480c8f4db2cb47039963073e8483fe7a.pdf?index=true
    • https://72dfff08-f6cb-4f5d-aaac-ebe71175d6a6.filesusr.com/ugd/c268f7_a9240e59c3494d43b54f343729892287.pdf?index=true
    • https://0ecef3a8-5193-4df1-8dcb-1b7dd0f2be2a.filesusr.com/ugd/e6092c_cd980ef2957a4bd4b84418a3782816d3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0a3a4957-359c-4bac-8e33-977984993f43/ruxizikavifasixulosus.pdf
    • https://uploads.strikinglycdn.com/files/d5d6c134-df07-4073-abce-5b0c086654d8/13925741021.pdf
    • https://013c3ecd-17dd-4738-ad87-554153c764a5.filesusr.com/ugd/36f25b_fb85601b51ec46eb8427fac91dda60d9.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d016.bin
96cfeb5e37f30405581521175c2cbbf8606f551c44bcd87a2d08e861888e4649		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD016 4868 bytes
font_01_sfnt_off0000e073.bin
d6bc2fd9dc4593501f70e7709dd8e1e717b9b87762520024eeba3e4439fbeefb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE073 11080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.