Malicious PDF — malware analysis report

Static analysis result for SHA-256 bbdb63bbdd442c6c…

MALICIOUS

PDF

147.5 KB Created: 2021-03-24 23:23:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ef2eadac5d4c93e8089e12a4f65c2ce SHA-1: 36ae796fd833faf0bbbd80a2454a5d1f19103d70 SHA-256: bbdb63bbdd442c6cd28153610b327fc9d75616b7bfedb4d1c5726469c96a841e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URI pointing to 'https://xajibur.ru/123?utm_term=ck2+hermetic+society+guide', which is likely the primary lure. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest an attempt to redirect the user to a malicious site, potentially for phishing or to download further payloads. The document body is heavily obfuscated and unreadable.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/123?utm_term=ck2+hermetic+society+guide
    • https://cdn.sqhk.co/netimawifes/hgghgcw/2745610656.pdf
    • https://cdn.sqhk.co/bomumuxa/jgjiiPy/faraway_puzzle_escape_level_4_notes.pdf
    • https://cdn.sqhk.co/xawobovuji/fMoigdg/32776575351.pdf
    • https://cdn.sqhk.co/suvotoruwot/ijkjdru/2010_top_pop_hits_songs.pdf
    • https://cdn.sqhk.co/gikokimofegi/eDnmJhO/word_2013_spelling_and_grammar_not_working.pdf
    • https://cdn.sqhk.co/jiguluzufuwa/gfjfUhh/dragonvale_egg_of_mystery_worth_it.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://436c154b-1c2d-4c60-9768-ed3a268ef5e1.filesusr.com/ugd/e8e253_3ee29d7ddd52414e8c005bccdb19ffc8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8a97f28a-fb54-4867-b067-6920cd128470/nasonaro.pdf
    • https://uploads.strikinglycdn.com/files/c475434b-76fe-483a-93a8-49c2f325f792/un_mundo_feliz_aldous_huxley_en_ingles.pdf
    • https://s3.amazonaws.com/kovezodepugov/82498126603.pdf
    • https://s3.amazonaws.com/zurovajij/toravosolen.pdf
    • https://de99934f-f465-4d69-af5e-14f317c0a7c6.filesusr.com/ugd/4fea5c_fa7f93b4b2c44c5e98c7f8aa229b0620.pdf?index=true
    • https://c8070bf9-ed42-4c5d-8eb8-ca35ee70f136.filesusr.com/ugd/d38238_5faf7398f3c4416ca10a8008f1d289ff.pdf?index=true
    • https://50aad03f-9d2a-47e6-be13-abd12f321b17.filesusr.com/ugd/3fd638_d2e20df2d6174327ba22de780505859c.pdf?index=true
    • https://14e2190e-1c7c-401b-bdd1-4e50d95f8180.filesusr.com/ugd/62a579_2af9660afdc04000b69859a59ac6147e.pdf?index=true
    • https://s3.amazonaws.com/rovikibixu/wokedivivefumekimekitila.pdf
    • https://4ec63ec4-77bf-4499-900e-7c522af20654.filesusr.com/ugd/35bdb9_fc783c8b9dad49979a1dcb9f32ac8f3b.pdf?index=true
    • https://caa91486-5fcc-43b7-8b2b-5b817ae85bbe.filesusr.com/ugd/26bbcf_057fc251ee604654a5f89d05f5d1db4f.pdf?index=true
    • https://5e6d3f51-9b35-4a29-baf4-1f036254a461.filesusr.com/ugd/99a8f2_529e00a3906446f0af31a1c94a4f11d2.pdf?index=true
    • https://e2685184-9bcc-4d63-b126-5f7cf6655de3.filesusr.com/ugd/267f13_69c6e11d85564baa8175b29acd1ae4ea.pdf?index=true
    • https://s3.amazonaws.com/bagokiko/84675500693.pdf
    • https://uploads.strikinglycdn.com/files/5497e688-6a7b-441f-bb35-ec40c26f9aa2/fixofipakoxewu.pdf
    • https://f904ef53-caa1-4f0f-8a97-c50675c03ece.filesusr.com/ugd/2f8cea_b33099a757d64c9fa33305cb4e8bf3f9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/296fa9d1-743f-4fa7-88f0-ba5686acac31/dojoxapekoribedak.pdf
    • https://uploads.strikinglycdn.com/files/a9861050-2a80-4417-beae-2eef102b7666/diario_en_motocicleta_pelicula_completa_en_espaol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001fbb4.bin
57ba1e1339da8c1a4670740ea443651cf5865c91aef70c9d9ec0d519961f945f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FBB4 5312 bytes
font_01_sfnt_off00020da7.bin
829c95a9dfe64ba059b53c514350c1e18b0890dcd9d287bfb4e67db381a0b7d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20DA7 15868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.