Malicious PDF — malware analysis report

Static analysis result for SHA-256 c02aa65955e0ea6d…

MALICIOUS

PDF

88.5 KB Created: 2021-04-01 14:24:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b963ec09a73accfb585e7726a2e5c189 SHA-1: d746c95b949b154f44efc5b3f7f2f58bf24885cd SHA-256: c02aa65955e0ea6d4980d9beeae0780f38cdd8fa82a2fd89ae9992ba261b12a8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a URL that mimics a search result for a specific PDF download, likely serving as a lure. The document body, though heavily obfuscated, contains metadata related to PDF creation and a keyword search, reinforcing the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=amar+ujala+epaper+agra+pdf+download
    • https://cdn.sqhk.co/kidobogi/icpjcje/tetaxaligebomedudemenan.pdf
    • http://nibajafij.medianewsonline.com/cahier_de_vacances_maternelle_grande_section.pdf
    • https://cdn.sqhk.co/lobinazema/jdJidNu/41371538943.pdf
    • https://cdn.sqhk.co/widagawinud/hhjhTC9/barclays_premier_mortgage_rates.pdf
    • http://mawosatejojeka.sportsontheweb.net/eton_mini_compact_am_fm_shortwave_radio_review.pdf
    • https://cdn.sqhk.co/tazifawixax/h6qFgfu/porugefasiviruneniz.pdf
    • http://tozebejiposutor.iblogger.org/47884390402.pdf
    • http://mebesovinu.22web.org/rativifabexinala.pdf
    • https://cdn.sqhk.co/terisuzuji/he4Figf/xebefixu.pdf
    • http://purubifo.medianewsonline.com/23687103835.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • https://6196a4e6-b3b5-4a85-a139-4ec84e0a53d9.filesusr.com/ugd/d01287_0590a5c991f349f9a5f875641949f112.pdf?index=true
    • https://3b87a2b8-2d13-4e6d-acc4-cbba57692a59.filesusr.com/ugd/50988c_4b18851f007745a9b357c4b88077c67a.pdf?index=true
    • https://s3.amazonaws.com/senodiw/zimoniwir.pdf
    • https://37976aa0-f55f-47d3-847a-8d185b13ebf6.filesusr.com/ugd/1d6212_dd7feb96b4594e07841d270abffab8ec.pdf?index=true
    • https://146c8b6c-0b46-450b-8ed0-b45f1e2a4974.filesusr.com/ugd/b58d21_f39286e9231f42bcb71bfaf107a83b82.pdf?index=true
    • http://zimeketoxera.epizy.com/utorrent_for_android_latest_version.pdf
    • https://013c3ecd-17dd-4738-ad87-554153c764a5.filesusr.com/ugd/36f25b_71994c965d044a0485cdbbeffb54a5a1.pdf?index=true
    • https://s3.amazonaws.com/genijusemu/malistaire_dungeon_guide.pdf
    • https://4590046d-f0a9-4171-b8a0-56ff8c1fe63c.filesusr.com/ugd/0bfb20_899c4d32584c472ca841349dbd6cb0a0.pdf?index=true
    • https://s3.amazonaws.com/satudifin/ciara_i_bet_lyrics_video.pdf
    • https://71b4061d-0fbe-47a8-a671-08758978b022.filesusr.com/ugd/0216f2_7d5225bb548d48a0940807574d7d1461.pdf?index=true
    • http://tatesit.myartsonline.com/banjo_chords_5_string.pdf
    • http://ledugezutixajo.epizy.com/26728238960.pdf
    • http://fuxazulofonu.epizy.com/who_is_related_to_abraham_lincoln.pdf
    • https://s3.amazonaws.com/kagedatabujo/cascading_style_sheets_pronunciation.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e31e.bin
cf7e025f4a346a9ecb0faa258f62e2aada90aa0d90cabda8026ae3020329b126		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE31E 5092 bytes
font_01_sfnt_off0000f46b.bin
67d3e988587c14d3c7e70d85bf8f3a6cb9954ed2e5b9e88031440499f243bfd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF46B 10276 bytes
font_02_sfnt_off0001174f.bin
ebd2804bff382343e08f6a42dc45f69f4e794c08b23908ae60ba78ededae74b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1174F 16164 bytes
font_03_sfnt_off00012c67.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C67 4324 bytes
font_04_sfnt_off00013a66.bin
d59826db49833909bc8db46f84264b50843b3569f85d7f04960f0d65a971a447		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A66 6388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.