Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf0c9fe1690b3316…

MALICIOUS

PDF

74.8 KB Created: 2021-02-26 11:46:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fec7acdcc221d00ca8dccc1ad1dd7241 SHA-1: 9b75f9680445584bbe90a7f6d6e1cace88070bb6 SHA-256: bf0c9fe1690b3316280937980b62d1bc3228796a94ddaa36edb91464cb0be934
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, which is likely intended to redirect the user to a malicious site. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or trojan PDF. The document body, though heavily obfuscated, contains references to 'Stephen King book reading level', suggesting a lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=stephen+king+book+reading+level
    • http://tejovotemikodes.getenjoyment.net/bosch_super_silence_plus_42_dba_soap_dispenser_not_working.pdf
    • https://cdn-cms.f-static.net/uploads/4381318/normal_600d65747e798.pdf
    • http://palikexifumalam.mywebcommunity.org/vadixibojob.pdf
    • http://gowanenutik.mypressonline.com/pupido.pdf
    • http://fisujerekuvij.getenjoyment.net/kenmore_coldspot_106_water_filter_location.pdf
    • http://gogadozuxigode.iblogger.org/jose_chameleone_basiima_ogenze.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/levovod/neginatezo.pdf
    • https://s3.amazonaws.com/gulapore/byetta_injection_guide.pdf
    • http://momabuxamejuwev.rf.gd/affine_transformation_matrix_opencv.pdf
    • http://xuxerutiwuv.onlinewebshop.net/92072888128.pdf
    • https://s3.amazonaws.com/kibavutibeved/velodebududegodibisedu.pdf
    • https://s3.amazonaws.com/negonanopix/driver_booster_3_baixaki.pdf
    • https://s3.amazonaws.com/lusegokaves/k20_pro_android_10_update.pdf
    • https://s3.amazonaws.com/jiwisi/xodij.pdf
    • http://witigunakejawi.rf.gd/mifi_6620l_reset_password.pdf
    • https://s3.amazonaws.com/gotenukevepunin/54555947580.pdf
    • https://s3.amazonaws.com/sefepugolupalax/file_manager_pro_apk_asus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e85d.bin
0f68df1efa1f388f4bdeb840699bb71417f5e9d82fbcb6a9146f1878ffae2743		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE85D 5412 bytes
font_01_sfnt_off0000fabb.bin
df78d54a23b2c38ef698b3f77acec542181d00c34c1c27cd7bc72de59b7297e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFABB 10400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.