Malicious PDF — malware analysis report

Static analysis result for SHA-256 b640aa25e7f81f1a…

MALICIOUS

PDF

70.8 KB Created: 2021-03-11 09:48:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2b972a69abe9e119a1fad570e9604771 SHA-1: 17d57c00439a38915eb7dd3b6406d3dec0045a02 SHA-256: b640aa25e7f81f1aeb9f7a33c76dc79522e1f0969a7e7c56ff6c0ba8f8502d1d
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains heuristics indicating suspicious links and is flagged by a machine learning classifier and ClamAV as malicious. One of the embedded URLs, http://securitycheckingbrowservkcom.xyz/pogopalilasewuboketiwilei8sgs.pdf, is particularly concerning as it is presented as an invisible link. The document body, though heavily obfuscated, suggests a lure related to 'fact family multiplication worksheets', which is a common tactic for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=fact+family+multiplication+worksheets
    • https://static.s123-cdn-static.com/uploads/4366358/normal_5fddb66f460b1.pdf
    • https://cdn-cms.f-static.net/uploads/4467560/normal_5fdbd70fd1a73.pdf
    • http://securitycheckingbrowservkcom.xyz/pogopalilasewuboketiwilei8sgs.pdf
    • https://static.s123-cdn-static.com/uploads/4369168/normal_5ffc79b088d9a.pdf
    • https://cdn-cms.f-static.net/uploads/4374698/normal_6046b2209b9ec.pdf
    • http://crawlmqyu.space/85878328313lt2y5.pdf
    • http://onlinekartiadesi.com/544187147729q1kx.pdf
    • http://starconflict-game.ru/500_poses_for_photographing_couplesoemw6.pdf
    • https://cdn-cms.f-static.net/uploads/4473062/normal_6047e71ca1709.pdf
    • http://fabulouss.space/emotion_cards_freeab42f.pdf
    • http://leftoutclub.com/westie_haircut_guidevrw1t.pdf
    • http://josisenepezu.iblogger.org/cazadores_de_sombras_pelicula_completa_en_espaol_latino.pdf
    • http://retibojebefav.22web.org/cosco_baby_car_seat_instructions.pdf
    • http://tiktokcopyrighthelpteam.com/cours_redressement_double_alternancesbuzr.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/df0260ca-993a-4f3d-9c54-c10d31708952/91588685179.pdf
    • https://uploads.strikinglycdn.com/files/941fdd80-bab2-4ce1-82fc-13a5312be5ce/how_to_jump_attack_in_dark_souls_remastered.pdf
    • http://losisotudek.epizy.com/best_interview_questions_and_answers.pdf
    • https://uploads.strikinglycdn.com/files/b2e6bd27-0277-449d-b34e-0c313caae742/kiwesekipakaravozo.pdf
    • http://jawaduxivibono.epizy.com/47360761872.pdf
    • http://bawokexumavi.epizy.com/lagubukakiwajajap.pdf
    • https://19e6fc83-c281-4d06-93fd-e8b16a02b90a.filesusr.com/ugd/ce5d00_dc38d406a03346a0a603e9db8f6e240b.pdf?index=true
    • https://1e16f6d7-285b-4488-bf07-d3e24ac90e20.filesusr.com/ugd/417718_6fb4004378a44e349a79ebaa92979871.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8e05f3d5-fe98-4a7c-9728-e20764a6f9df/how_to_factory_reset_amazon_kindle_fire_when_locked.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d6b3.bin
3081fee3aa7d0e5bee981b67f78b2474b1e335b88cd3daf7f333d8e49f6dcc18		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6B3 5468 bytes
font_01_sfnt_off0000e941.bin
583529e2473f238ae4fe9061966968785c8a8abf32e56e06e399212032a3bf1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE941 10820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.