Malicious PDF — malware analysis report

Static analysis result for SHA-256 b71f8fdbc7667674…

MALICIOUS

PDF

76.7 KB Created: 2021-03-11 21:37:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93c0e8cc14f26a6c309d89bda9256155 SHA-1: 2e8f68f16aec998b7494fed034b8882e71dcf3ab SHA-256: b71f8fdbc766767482ade3cd726fd84d396b5c5e0fd6335314fe32099caaf66d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, specifically 'https://maypoin.ru/wix?keyword=ninja+run+3+unblocked', suggests the document is designed to redirect users to a potentially harmful website. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a date, hinting at its origin and potential use as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=ninja+run+3+unblocked
    • http://latujor.22web.org/habanera_carmen_partitura_violin.pdf
    • https://jamafijuzu.weebly.com/uploads/1/3/1/4/131437216/1f92d.pdf
    • http://avit0.cc/bully_anniversary_edition_apk_game_free98wb4.pdf
    • http://mixutadumekaje.mypressonline.com/figilasifujirupow.pdf
    • https://zogewuvenofo.weebly.com/uploads/1/3/2/6/132683334/61e57bc185cd136.pdf
    • http://reflectionss.space/rebels_city_of_indra_the_story_of_lex_and_liviayfkn8.pdf
    • http://xedeporib.medianewsonline.com/is_nitro_cold_brew_coffee_bad_for_you.pdf
    • https://logutidukikov.weebly.com/uploads/1/3/1/3/131380383/a8f6834cf2d18.pdf
    • http://sberin.xyz/2672442010667uqa.pdf
    • http://particulier-societegenerale.xyz/38138520041btls1.pdf
    • http://wojurimaxab.mywebcommunity.org/35911634372.pdf
    • http://tonevagewalilu.medianewsonline.com/when_does_the_dork_diaries_movie_come_out.pdf
    • http://saniwigudovo.scienceontheweb.net/cost_of_living_comparison_international_mercer.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://vedixemalirugi.atwebpages.com/lizul.pdf
    • https://uploads.strikinglycdn.com/files/801c6069-833a-4298-958b-f48f01a4deb5/how_to_resize_plugins_in_fl_studio.pdf
    • http://vugugemo.atwebpages.com/jixajuv.pdf
    • http://gamutazuzores.epizy.com/araluthiru_jeevada_geleya_song.pdf
    • https://uploads.strikinglycdn.com/files/69f82041-cae2-4a03-9977-b97ea4312bce/salary_of_a_navy_diver.pdf
    • https://uploads.strikinglycdn.com/files/273f3ed6-2728-4a06-9562-dbfce5577ed6/2019_lexus_es_350_f_sport_for_sale_cargurus.pdf
    • https://uploads.strikinglycdn.com/files/7023df28-4f1e-4ea4-8b09-9167041738fa/how_to_crack_minecraft_server_seed.pdf
    • http://fadezanunadafik.myartsonline.com/46917396734.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e177.bin
12dbf76f11464403f8d895463e7f0a786e3968df6749a53493d2150bee7e998d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE177 4968 bytes
font_01_sfnt_off0000f254.bin
97ebd59cbcaf7231b1816d3f0d860d8643df0f81515ce65713c6dcada4f03aa8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF254 11292 bytes
font_02_sfnt_off0001172f.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1172F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.