Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc237411ff23feb0…

MALICIOUS

PDF

172.4 KB Created: 2021-03-20 02:59:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff9c743f59adf8495ebdd3bbdaf3a958 SHA-1: bf64de5854c1e3272a10377bc21728a8b7d45c95 SHA-256: bc237411ff23feb0b403e0002ac1ca9285633d463e23ac6cdc60da3468a7e04b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF as malicious. The document body, though heavily obfuscated, appears to contain keywords related to the embedded URL, suggesting a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=2020+my+country+mod+apk+revdl
    • http://uaregroup.com/26333466323kjr79.pdf
    • https://cdn.sqhk.co/zejizoguzut/gfgdZAD/72902270180.pdf
    • https://cdn.sqhk.co/xubuguxovim/OrghhdO/79770368069.pdf
    • https://cdn.sqhk.co/miweguzeg/jdZOGrU/kabotujatos.pdf
    • https://cdn.sqhk.co/dipujabuxiw/cijVc3l/little_builders_hack_apk.pdf
    • http://irbestate.ru/the_man_in_the_high_castle_season_1_episode_5_explainedbd5lx.pdf
    • http://lolkek.xyz/78245943944m9ot1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/wiremeresegikon/a_p_name.pdf
    • https://uploads.strikinglycdn.com/files/e770cc33-eaea-4a9e-b00e-e573a96283b5/wufusi.pdf
    • https://s3.amazonaws.com/vukujidor/the_rocking_horse_winner_symbolism_of_eyes.pdf
    • https://s3.amazonaws.com/sewamos/what_does_the_t_con_board_do_in_a_lcd_tv.pdf
    • https://uploads.strikinglycdn.com/files/cc30ea07-7637-40ed-bc2b-94d5a05b884b/62539072459.pdf
    • https://s3.amazonaws.com/wizitifowubux/public_engagement_strategy_template.pdf
    • https://uploads.strikinglycdn.com/files/0d14244d-e1df-4a2c-9f65-3b5c055f9139/87952100150.pdf
    • https://uploads.strikinglycdn.com/files/50595630-fecd-4cee-8aa1-50cfc71c5f94/82952843336.pdf
    • https://uploads.strikinglycdn.com/files/a7200f22-5950-42a3-bd92-6dcfe3c18401/panasonic_kx-tgc210eb_cordless_dect_single_phone.pdf
    • https://c145ee04-3c3b-4786-8b94-e0511401b322.filesusr.com/ugd/de65f7_c92914d6b1ad4ed096c986c95760f183.pdf?index=true
    • https://s3.amazonaws.com/vuterijoze/android_app_review_submission_sites.pdf
    • https://bcbc83ff-a82b-4234-bf1d-c69e8cae54d5.filesusr.com/ugd/057c82_6983e0c792ec4df485ad07f4c4556027.pdf?index=true
    • https://7fd672c9-0ac8-42d3-9d3c-9ebb2fbea2b4.filesusr.com/ugd/92785a_0fda104a63c54033a4dfe6b2552b1f1c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00014095.bin
b48e0a71475d8a109dcb9929ac95bf3383d9b77f8f91c8f4c7c045d85206133d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14095 95012 bytes
font_00_sfnt_off0001304c.bin
4e1a9c4cb32f1bc4ff176ae4dc1460c31b2d267bf2def0252f23ad2731e7be72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1304C 6588 bytes
font_02_sfnt_off00025404.bin
ba449bd726313d7c1e47e70e819389bd13785a65f3b9a44ee5f692089d4cc8f8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25404 5444 bytes
font_03_sfnt_off00026684.bin
727628fe4fd8a24618ed2a719337cbcae84e98ece66830678614cdce32cd0a11		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26684 11644 bytes
font_04_sfnt_off00028e35.bin
39b2f4b99ee08965fd4836f89f628a00cde8346cb181131bba0308e80db8fb67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28E35 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.