Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb0e8a445b3adad7…

MALICIOUS

PDF

102.1 KB Created: 2021-03-31 23:19:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aebea6a9e5508f1b62e9fcdae1b9c1db SHA-1: ea33959ce8916328d5797e9de0bf5123abea7b3b SHA-256: bb0e8a445b3adad7be0f2c4fef343be387b7c49441e6227ab87cb4c9f129fa2c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF with high confidence. The document body, though heavily obfuscated, appears to be related to the URI's keyword, suggesting a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=geometrical+tolerances+symbols+pdf
    • https://fuwemuwiwogul.weebly.com/uploads/1/3/4/0/134016804/bavaxatomuwanekifav.pdf
    • https://joxeluduxena.weebly.com/uploads/1/3/4/7/134772203/1157165.pdf
    • https://binazinir.weebly.com/uploads/1/3/4/1/134108718/6939133.pdf
    • http://mufosubofamar.mywebcommunity.org/wixorunowijib.pdf
    • http://liwexun.mywebcommunity.org/ezgo_powerwise_qe_charger_problems.pdf
    • https://lekifusa.weebly.com/uploads/1/3/1/3/131382118/mekox-xanofewolifupo-lawariludakupar-kilovavu.pdf
    • https://xugubevowasisof.weebly.com/uploads/1/3/4/8/134885616/915a7b.pdf
    • http://jujovobima.getenjoyment.net/fungus_the_bogeyman_book.pdf
    • https://vawisopikev.weebly.com/uploads/1/3/2/7/132740649/xoxonurit.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nufiwimuzobo.onlinewebshop.net/how_do_i_connect_my_swann_camera_to_my_tv.pdf
    • http://zalatikewal.atwebpages.com/types_of_screws_and_bolts.pdf
    • http://vuxepogi.atwebpages.com/zabasava.pdf
    • http://ximuviliduxa.rf.gd/lg_tv_repair_shop_near_me.pdf
    • https://s3.amazonaws.com/bupesejirijejus/60829612314.pdf
    • http://jigosip.epizy.com/monthly_meeting_planner_template.pdf
    • http://maretubozewugi.myartsonline.com/probability_without_replacement.pdf
    • https://s3.amazonaws.com/vavale/inferring_worksheets_grade_6.pdf
    • http://jokubamobivavum.onlinewebshop.net/la_profecia_celestina_libro_gratis.pdf
    • https://s3.amazonaws.com/pojikovewijeja/67196730544.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101b2.bin
7598ec2c9dac547b94ff5e2fe06596c8675979a51bbc6e4a0814b2f1b12fc8dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101B2 6620 bytes
font_01_sfnt_off00011231.bin
61a355b5cec9962aa426e78a16e5ad5354627d5705afa16d9827fd1422430c7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11231 4556 bytes
font_02_sfnt_off00011f53.bin
495cc7e4fe9eb5bd7084cf2fd3ac30685435652c629fbc55e6e2a5ef082785d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F53 5572 bytes
font_03_sfnt_off000131f3.bin
17f7e40af52f6a7f7d25fa70f5f9ca20fdb0b9e5ddbea7420345372982883034		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131F3 6244 bytes
font_04_sfnt_off0001412e.bin
35e28463fb5c79298fc0da28ea30e957961ae7f158722b2952ea20fceb25c34f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1412E 1900 bytes
font_05_sfnt_off00014a66.bin
0eb23cf2aa91b3f92a84563de8e0396568106f4519de42d819b12e6d49119d04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A66 11560 bytes
font_06_sfnt_off00017225.bin
85527a2addf45ea37826b22993b9d5c588ce6e43bf9949d8cdf45089444c9023		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17225 16520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.