Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf48b720dcc92be2…

MALICIOUS

PDF

80.0 KB Created: 2021-03-31 23:25:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8cb84739608807a6ff687d5bee8062f4 SHA-1: 58e7318a3a9f55f6a0fc0118c97ae7436d907059 SHA-256: bf48b720dcc92be2c583c6875f8349b420149778c3b6bc7146129a448dad3b63
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL points to a suspicious domain, suggesting it's used to deliver a payload or conduct phishing. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a date, indicating it was likely generated programmatically to appear as a legitimate document, such as a worksheet, to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/award?keyword=solving+algebraic+equations+worksheets+pdf
    • http://kirudikegopoded.sportsontheweb.net/rojano.pdf
    • http://mozobadijoba.medianewsonline.com/vasonurulodexazanumima.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/291d9072-f427-4fca-9173-0b04d33ff5e5/pugavof.pdf
    • http://babokad.epizy.com/is_america_visa_lottery_form_out.pdf
    • https://uploads.strikinglycdn.com/files/83af0d8d-8ddb-4d30-b5a3-e8c6b2871a02/what_to_grow_in_central_florida.pdf
    • https://uploads.strikinglycdn.com/files/a276f1af-a785-49f0-bd00-493afb0d2458/does_rafael_speak_spanish_in_jane_the_virgin.pdf
    • https://uploads.strikinglycdn.com/files/5e59f83c-ee6f-4de3-b88b-01cf64f4c81e/how_to_determine_velocity_from_position_vs._time_graph.pdf
    • https://s3.amazonaws.com/gomakobez/michigan_dnr_fishing_report_weekly.pdf
    • http://guwidovu.rf.gd/ramosimugudojufumikigare.pdf
    • http://vekotan.epizy.com/how_to_help_period_cramps_in_bed.pdf
    • http://tizexazebubo.atwebpages.com/75730755219.pdf
    • http://jujimewukekupur.epizy.com/mixezufizo.pdf
    • https://uploads.strikinglycdn.com/files/cefff4d2-5148-407e-9b5a-88cdd4fc25f7/13745074640.pdf
    • https://uploads.strikinglycdn.com/files/64f2e76a-8e03-45f9-ba2f-c230513599bf/63619872585.pdf
    • http://wefusav.rf.gd/fesojulatokunowo.pdf
    • https://s3.amazonaws.com/befarekogol/lotobosumu.pdf
    • http://jofesosozofoso.epizy.com/19859310138.pdf
    • https://s3.amazonaws.com/veraxawewib/imagine_math_answers_combining_like_terms.pdf
    • http://bugazepoja.onlinewebshop.net/betrayal_aleatha_romig_espaol.pdf
    • https://s3.amazonaws.com/zodawanuror/navy_technical_regulations_manual_identification_numbering_system.pdf
    • https://uploads.strikinglycdn.com/files/5db47172-016d-4cc2-8f8f-da8dfd0661a8/xikepezufotenafu.pdf
    • https://s3.amazonaws.com/pirosisob/93934606380.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eaa2.bin
2fa5b25b03100fd761ffa6bdb7b19c324a6f03d42dd80051f29b0b3b40a76e58		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAA2 5884 bytes
font_01_sfnt_off0000fea0.bin
4b8bf2ed42c879eee8284f1af47ea97bf60dcf18e6ef7e852a8d7b58d49c28c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEA0 11016 bytes
font_02_sfnt_off0001241d.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1241D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.