Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb15b7e258ffbebb…

MALICIOUS

PDF

104.9 KB Created: 2021-03-09 08:45:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0f16a38f7ed7b9afbe076027565784f6 SHA-1: 5773062cf7e701c324b15c4e50c2c0aeec285e67 SHA-256: bb15b7e258ffbebb5c4fc3f2563bc65d29f1d9e32e8af928ca3f5f0ebcb7ba82
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious domain, identified as a phishing attempt by ClamAV and an ML classifier. The document body, though heavily obfuscated, contains text related to 'book pdf' and the authoring application, suggesting a lure to download content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=asymptotes+book+pdf
    • https://cdn.sqhk.co/xarozowuzosa/iajb1hg/images_of_cosmos_flower_pictures.pdf
    • https://cdn.sqhk.co/timugulirebu/Khjwjjh/60407319590.pdf
    • http://kovatafob.mypressonline.com/wulimesevupolenupidufar.pdf
    • https://cdn.sqhk.co/ruxebiseso/gicIidQ/open_world_best_gangster_games_for_android.pdf
    • https://cdn.sqhk.co/gubisagebuto/Qx1hfu9/45439415718.pdf
    • http://tadefog.medianewsonline.com/average_home_prices_in_1986.pdf
    • https://cdn.sqhk.co/wolitobutak/hjjchcV/42731835002.pdf
    • https://cdn.sqhk.co/nukusigemug/qjiLLew/free_games_download_for_pc_windows_7.pdf
    • https://cdn.sqhk.co/kajurineg/xjgAaRx/ice_cubes_freezer_maker.pdf
    • https://cdn.sqhk.co/kedetofido/hOXrnk2/artificial_intelligence_a_modern_approach_third_edition_ppt.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a7507d14-2445-40b4-a581-82af187a6228/juzeropanovafuxagasolo.pdf
    • http://vaxutere.rf.gd/hp_laserjet_p2055dn_weight.pdf
    • https://uploads.strikinglycdn.com/files/d24ed0ff-1e6a-43be-b9e2-7be96b5751bd/ipod_nano_7th_generation_tech_specs.pdf
    • https://uploads.strikinglycdn.com/files/0c2b3a9c-aabe-46bd-91f3-3448eb8e225c/coleman_saluspa_inflatable_hot_tub_replacement_pump.pdf
    • http://jugexuwaluxanem.rf.gd/satellite_altimetry.pdf
    • http://tosurok.myartsonline.com/siserafabebonipebabix.pdf
    • https://uploads.strikinglycdn.com/files/9a1958da-3543-4a01-961b-f0a1ffb989a1/taking_care_of_wife_quotes.pdf
    • https://uploads.strikinglycdn.com/files/357e1910-491c-4c1c-8b50-0d6b056db3d1/44271082079.pdf
    • http://paxuxuf.rf.gd/20096110975.pdf
    • https://uploads.strikinglycdn.com/files/91ba7188-4f2b-4856-937e-0d74a61e73a9/48117240981.pdf
    • https://uploads.strikinglycdn.com/files/d1a323fb-d271-453b-9a3a-ea2a0918366e/why_is_my_jbl_not_turning_on.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013cd7.bin
93834bc42197b730a2d62cb7519e0a85af9fb0d3f03df6c61ddf117e468c2296		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13CD7 5144 bytes
font_01_sfnt_off00014e55.bin
e4007e60f80d901e7a582a0cbd9a0a76b47466485fd8d487105cb45b9edbfdeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14E55 16056 bytes
font_02_sfnt_off000181c4.bin
c43c81af3addadc619f1b50b0eb79006c69e58cb90abf43f7a5fbd940e22698c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x181C4 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.