Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7a4b1e45ca96461…

MALICIOUS

PDF

120.5 KB Created: 2021-03-14 22:28:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4462205978258e3c467a930fc8f56aa4 SHA-1: d1ee9ca538233b1841f782940d25f9ae86fdaaf7 SHA-256: b7a4b1e45ca964619300342287e5c350d2f7b332931a3e7425e0aaa759524431
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely for a phishing or malware distribution attempt. The document body, though heavily obfuscated, appears to be a lure related to search queries.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=anime+symbols+and+meanings
    • http://playmarket-online.com/perspectives_intermediatetc9yu.pdf
    • http://lnstagram-verificationbadgeform.com/417234575666qzf3.pdf
    • http://rumagadoli.22web.org/89962765012.pdf
    • http://midikakuvekume.mywebcommunity.org/79894280262.pdf
    • http://welitizenowem.mywebcommunity.org/rincian_apbn_2020.pdf
    • http://namafafiteg.mypressonline.com/ver_videos_de_monster_high.pdf
    • http://tidirakozodawon.getenjoyment.net/lagapilumexo.pdf
    • http://rulabepotinujeb.mypressonline.com/75935012110.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vibesevazetiv.rf.gd/how_to_do_half_life_problems_biology.pdf
    • http://vapamul.epizy.com/upsc_information_in_marathi_download.pdf
    • https://uploads.strikinglycdn.com/files/9a1cf9a4-2b8d-40ea-8fe3-9a4042db5493/2001_kawasaki_vulcan_1500_classic_owners_manual.pdf
    • https://50b44c92-959e-4a15-bf83-93d6b2b518d6.filesusr.com/ugd/3ed44c_15f8d3a4f9634c6bbc00bac003eb36f0.pdf?index=true
    • https://39472683-7d43-4bc3-882b-0947a83fd973.filesusr.com/ugd/544c7e_39aef017a8f84b37a378f333f09244b4.pdf?index=true
    • http://vuxikujare.epizy.com/48796747588.pdf
    • https://uploads.strikinglycdn.com/files/3f4b9b14-cf29-4f3d-961f-665c6294cfbf/44037113108.pdf
    • https://uploads.strikinglycdn.com/files/928143aa-b34a-457e-9732-f349f4891b1d/lagivemotetarasivuberop.pdf
    • https://810dce77-56ab-4324-823a-3549757f4eab.filesusr.com/ugd/1fad07_dc58b229059f4153b9cce4bb733205b0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/92d36ad8-1e76-443d-9713-e2da992b78b3/skyrim_special_edition_mod_list_2019.pdf
    • https://52c77544-2eb8-427c-ad0e-a8a7e2ea9366.filesusr.com/ugd/93288f_73f53ef97b1441118931de2aaa6e5ad4.pdf?index=true
    • https://b84c3727-5d5a-4c5d-9d5d-21cac87b3a69.filesusr.com/ugd/fdd6c2_5441b45adbec454989521b60768bbe4d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017a41.bin
a20bb4f408d8f784ad73c3448e4c5f25c27999cb50838481ad122ee355a0e39f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17A41 3040 bytes
font_01_sfnt_off0001852c.bin
019c79158e17eda04dce5f9ecb15a03d0d3bb68ca348c035ff8eb62b681c0268		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1852C 5280 bytes
font_02_sfnt_off0001971c.bin
b9f9e2f1fb958694c34c1b15eec268ce68b26bbca127f4a054292b87082e4a9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1971C 11000 bytes
font_03_sfnt_off0001bd20.bin
f30ee8d6612ca89d70d4de2044b950377342cc80e96f28d931cd1720b7215cf2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BD20 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.