Malicious PDF — malware analysis report

Static analysis result for SHA-256 b84e9386a6970ded…

MALICIOUS

PDF

98.2 KB Created: 2021-03-20 22:02:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41ef8832df332cc6fcfdc5aa22ab557e SHA-1: ea1c812c72d65c85d96db24118cc06de10f8929f SHA-256: b84e9386a6970dede96d244da0fd562cbfb1fe2d84996048b07e8229812bb02f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a phishing attempt. The embedded URL, https://leonvi.ru/wix?keyword=tresanti+powered+adjustable+height+desk+manual, is likely part of the phishing lure, directing users to a potentially harmful site. The document body, though heavily obfuscated, suggests a context related to a product manual, reinforcing the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=tresanti+powered+adjustable+height+desk+manual
    • http://dofegogojewipo.iblogger.org/examples_of_socratic_questioning.pdf
    • https://static.s123-cdn-static.com/uploads/4454665/normal_5fee2f86db0ae.pdf
    • https://cdn-cms.f-static.net/uploads/4479917/normal_5fdb1a5f37adf.pdf
    • http://zasoremejoka.iblogger.org/estimation_costing_and_valuation_book.pdf
    • https://cdn-cms.f-static.net/uploads/4494866/normal_601424f4ea829.pdf
    • http://davegopodowog.iblogger.org/67578439241.pdf
    • http://xagakojitogiva.getenjoyment.net/soft_drinks_project_report.pdf
    • http://lokubakodo.getenjoyment.net/mini_weapons_of_mass_destruction_book.pdf
    • https://static.s123-cdn-static.com/uploads/4463803/normal_5fef62160ee7c.pdf
    • https://cdn-cms.f-static.net/uploads/4404296/normal_60204daa12bf6.pdf
    • http://nabokuwaj.iblogger.org/xugulelanetuzejado.pdf
    • https://static.s123-cdn-static.com/uploads/4470409/normal_5fcba9db4bc65.pdf
    • https://static.s123-cdn-static.com/uploads/4499282/normal_5fc814abf38b3.pdf
    • https://static.s123-cdn-static.com/uploads/4451930/normal_5fe266168289f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vidabovon.epizy.com/podemowoririluti.pdf
    • http://telewazikenap.rf.gd/80621336532.pdf
    • http://niresadumave.rf.gd/electrolux_central_vacuum_dealers_near_me.pdf
    • http://satawakerexe.atwebpages.com/89273888825.pdf
    • http://gixarewujedel.atwebpages.com/24222963236.pdf
    • https://dd39d194-9042-494f-90ab-223c96cf8da5.filesusr.com/ugd/5d3909_2f2f3f27b0584ec9ad28aded2d086216.pdf?index=true
    • http://jasunusemoki.onlinewebshop.net/10978432780.pdf
    • https://2a983b51-2e13-4971-8c1f-a5bca3ab4353.filesusr.com/ugd/e1a791_45617b62d1b24e04a5e340a3c28000df.pdf?index=true
    • http://dakunexafabeve.epizy.com/pogumibojafebevukakaxoma.pdf
    • https://d52aed46-be45-4f9b-8106-cf6fc7ee66c0.filesusr.com/ugd/b148e5_6e6d3ab6ea21417cbd09782b4800d357.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001230a.bin
9dec3f67b40669668021f326abf2b66843c97721edeafe5f0656b93649109d2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1230A 5692 bytes
font_01_sfnt_off00013645.bin
10a5812106cf5fbf9ce25371f48c8be3be24bac3922bd6c092b78fa9ee44f145		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13645 12456 bytes
font_02_sfnt_off000160d7.bin
73433758e90541740adbcb1a57c1709f6ce0a083610f5acf38f16f8072057b03		 pdf-font-stream PDF embedded font (sfnt) at offset 0x160D7 16876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.