Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6f4240a705547e7…

MALICIOUS

PDF

77.5 KB Created: 2021-03-27 14:33:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00ecd10f527bed79e987133a8aaa97b1 SHA-1: b5122581c02bc8ed4308d16344dbf71d332d9a33 SHA-256: b6f4240a705547e70f1d3d3336d75d33c847fb1777c14ed529f35096422d2f9b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating it is malicious and has been flagged by a ML classifier and ClamAV as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to 'chapter assessment' and 'answers'. An external URI was extracted, pointing to a URL that likely hosts a malicious payload or phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=chapter+assessment+examen+del+capitulo+3b+answers
    • https://cdn.sqhk.co/lukumuzu/QgrcRjj/warship_battle_map_download.pdf
    • https://cdn-cms.f-static.net/uploads/4456728/normal_601853be972fd.pdf
    • http://mejumeroxara.mywebcommunity.org/bepigavipizotinali.pdf
    • http://tusiteguluvora.getenjoyment.net/cellular_organization_notes.pdf
    • https://static.s123-cdn-static.com/uploads/4417426/normal_5fcda1af6dfd9.pdf
    • https://cdn.sqhk.co/woleparos/iIFiizx/cinemark_brasilia_park_shopping.pdf
    • https://static.s123-cdn-static.com/uploads/4478141/normal_5fde04274f11f.pdf
    • https://static.s123-cdn-static.com/uploads/4369769/normal_6001dd68e59dd.pdf
    • https://cdn.sqhk.co/dixufeja/Pig9Whi/street_racing_syndicate_cheats_xbox.pdf
    • https://cdn.sqhk.co/rapigufagi/ieiahj6/94834669659.pdf
    • http://dogalijun.scienceontheweb.net/calendario_2020_da_stampare_gratis.pdf
    • https://static.s123-cdn-static.com/uploads/4482849/normal_5ffdd7cdbbedc.pdf
    • https://cdn-cms.f-static.net/uploads/4501963/normal_5fd3992b5b2c2.pdf
    • https://cdn-cms.f-static.net/uploads/4472221/normal_5fe9a5d0b2d8c.pdf
    • http://nutetuxiv.mygamesonline.org/fomak.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/98358264-a389-4d0b-a8ce-3916c16c23f3/tunorifafefimetonevebu.pdf
    • https://68a74d12-89ac-4a94-b826-09ad332a30bf.filesusr.com/ugd/1a0392_89318ae299374209ad185ed490811e20.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0c2e3dca-3f3c-45e4-9fc2-0d2c1310fab0/how_to_use_a_handy_stitch_handheld_sewing_machine.pdf
    • https://uploads.strikinglycdn.com/files/6aaf025b-c16a-420d-94f2-45c93a713fbc/venenuz.pdf
    • http://wuxosalilujaza.atwebpages.com/70576117070.pdf
    • https://uploads.strikinglycdn.com/files/32a8cdc0-69d2-40b3-97a1-6d183bcc06f7/samsung_xpress_m2835dw_printer_problems.pdf
    • https://dd67658a-cc17-4e1c-bca5-42bf299a485b.filesusr.com/ugd/07a440_85e7c92a5c1a441aabfae9416dae69b9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3922cef8-150d-49e7-bd69-8fe4e564d271/the_flower_of_life.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec6f.bin
6d080474e5ef724df079043686be03570f3cd85b70bce2e84a27559ba3225adc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC6F 5684 bytes
font_01_sfnt_off0000ff9c.bin
7184ed853e9d086d4a9f6df54ad45fa7e0a40c1aab445e69c019f03432ec714a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF9C 12188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.