Malicious PDF — malware analysis report

Static analysis result for SHA-256 b998f2f8bc9e1403…

MALICIOUS

PDF

76.4 KB Created: 2021-03-20 09:39:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 02c259ebf6cd2224d2356266e00616af SHA-1: 275af77e92eb3fea88cb39c660a7cb3815d51a5a SHA-256: b998f2f8bc9e140361e8fe8432f02e7ff9264be6a8963384fab28961d30aebe9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by multiple heuristics and a machine learning classifier as malicious, specifically identified as a phishing trojan by ClamAV. It contains an embedded URI pointing to a suspicious domain, likely intended to host a phishing page or download further malware. The document body, though heavily obfuscated, contains keywords that may be used in social engineering lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=karima+adebibe+vikings
    • http://vir-tus.com/gre_quantitative_percentilessiw98.pdf
    • http://dutipajito.22web.org/delalafukam.pdf
    • http://lassituda.online/vabujaxusopefikuhse3m.pdf
    • http://tanifulumu.iblogger.org/20998556562.pdf
    • http://inostrana.com/how_to_replace_a_lost_drivers_license_in_south_carolina4zgvs.pdf
    • http://mufezupep.iblogger.org/munagoxepilafexuwigivet.pdf
    • http://lakcherie.ru/modusubaxepajou5lc.pdf
    • http://zhigina.ru/autisme_montreal_formationyd7by.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_514aa119faad469d877aea3b242afc69.pdf?index=true
    • https://s3.amazonaws.com/lulelepese/united_states_army_drill_sergeant_school_unit_commanders_candidate_checklist.pdf
    • https://73f4d879-981c-49fe-abc7-520f36a14a84.filesusr.com/ugd/b77b08_ee6bf9ee09fe426ab5e2644a67e9a70f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5e4bc74c-8c96-4141-89d4-10a50c2e15db/dikaz.pdf
    • https://uploads.strikinglycdn.com/files/92e8e9e5-7de9-4bbb-93b6-434d478b37e1/kufuxipivevero.pdf
    • http://sulonofanez.rf.gd/dorufo.pdf
    • http://xofenilar.epizy.com/how_to_build_balance_sheet_from_income_statement.pdf
    • https://uploads.strikinglycdn.com/files/2e82da73-fd4b-43e0-8223-15741de08d68/lakshmi_narayana_stotram_in_telugu_lyrics.pdf
    • https://1fc3e790-19e1-43b7-bae7-d09a953f51fe.filesusr.com/ugd/2c608b_ac17b0ea10ae46dcb97d05fa85d2c017.pdf?index=true
    • http://gejonutopufone.rf.gd/miller_syncrowave_250_dx_parts_manual.pdf
    • http://wagadepepixapu.epizy.com/adding_doubles_facts_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/15a41694-2549-419d-b7b8-8394037ea314/45113889269.pdf
    • https://s3.amazonaws.com/jajuzasalikirut/86299196501.pdf
    • https://s3.amazonaws.com/tojabixefova/33096075235.pdf
    • https://s3.amazonaws.com/divelatoxa/d-_command_service_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eaac.bin
3c61935a80d842d7be26fd31a6830af7d7ea8263e4cee9e88c9d5a0f021c54e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAAC 5344 bytes
font_01_sfnt_off0000fcc9.bin
2dfcf8adf51c2b33badf64a3179af743419380a0b123cdbc988ee4f7ad8e98b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCC9 11700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.