Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9a18b3bcfd6e6f2…

MALICIOUS

PDF

85.4 KB Created: 2021-03-28 04:55:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e0b7995c747c62f24a75c88bb5f6b46 SHA-1: 496395e9617b2f9d49e3e41a41b20b00f1188f01 SHA-256: b9a18b3bcfd6e6f208373b083a2a36ed7cdc73ef2aa6f7812f14888f8d79c058
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of an external URI pointing to a download link suggests a phishing or credential harvesting attempt. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a social engineering lure designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=calistenia+pdf+descargar
    • http://kunujunekedi.mygamesonline.org/o_candombl_bem_explicado.pdf
    • http://jubigale.scienceontheweb.net/gagirutuxilabegugajusuma.pdf
    • http://ladiluvame.mypressonline.com/bazalujuxafipu.pdf
    • http://mufinofol.scienceontheweb.net/interview_score_sheet_template.pdf
    • https://cdn-cms.f-static.net/uploads/4481271/normal_6024846e5cf56.pdf
    • https://gukozorupo.weebly.com/uploads/1/3/1/4/131411088/9303872.pdf
    • https://static.s123-cdn-static.com/uploads/4369793/normal_5fc7471469d84.pdf
    • https://cdn-cms.f-static.net/uploads/4392191/normal_5fd644a641b61.pdf
    • https://xanikijopido.weebly.com/uploads/1/3/4/7/134738407/565190eb.pdf
    • http://zubudiru.sportsontheweb.net/branden_jacobs_jenkins_gloria.pdf
    • https://cdn-cms.f-static.net/uploads/4428052/normal_600a9a4dcef0f.pdf
    • https://cdn-cms.f-static.net/uploads/4457298/normal_6027d103efb13.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://limuzer.atwebpages.com/reasoning_ability_test_questions_with_answers.pdf
    • https://c2dbac7f-2075-4dc1-ad03-af0d0352bff2.filesusr.com/ugd/278743_c7e3f012ab2443c9a92e1e1e3b67a78b.pdf?index=true
    • https://s3.amazonaws.com/nitatotol/50927705971.pdf
    • https://fe2b84af-b373-48e0-a714-f820169e3fe9.filesusr.com/ugd/ed1d2e_db33a0ff251543f6876d760a2f7f9cac.pdf?index=true
    • https://s3.amazonaws.com/wizidimawag/61556674488.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e93a.bin
47be4b2edc2894072ca8660d4a331f4121bdc61719015ec2ec1fdbca8412ddd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE93A 5228 bytes
font_01_sfnt_off0000fb07.bin
3576dd373b651515f47e23d31ed66261cdf4600bff3365b97b89943213537ffa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB07 2660 bytes
font_02_sfnt_off00010672.bin
3645590f5242a98edca3d74ceab9b85d20f2c585fad067b0e15b6c81733edfe0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10672 12884 bytes
font_03_sfnt_off00012f7c.bin
7401577046676d27ccc88cb4b64babdae0f997240dc599cd1fed13a734b5e409		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F7C 16656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.