Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5129d90b41de31e…

MALICIOUS

PDF

76.9 KB Created: 2021-04-21 16:05:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b2ed47e72842ac052df98c089527d39d SHA-1: 5136c5d4e4f391660c54130cdb1e1e07a3b02cac SHA-256: c5129d90b41de31eb3c4ef175b19bfefe2d9509c3b30910ac401bdf46ec5ec22
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to a suspicious URL, which is likely part of a phishing or social engineering attempt. The document body, though heavily obfuscated, appears to be a lure related to cleaning an iron, intended to trick the user into visiting the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=how+to+clean+rowenta+self+cleaning+iron
    • https://fubudebuz.weebly.com/uploads/1/3/2/7/132712336/jusubes-goruretes-zirovome.pdf
    • http://mmuuue.space/leather_templates_and_patternsow05z.pdf
    • https://sivofalurujipi.weebly.com/uploads/1/3/4/7/134700052/wugegope.pdf
    • http://retamos.mygamesonline.org/pdf_alternator_manual.pdf
    • https://jizidetaji.weebly.com/uploads/1/3/4/6/134626841/banoz.pdf
    • http://rijoginijamibeg.mypressonline.com/sewage_treatment_notes.pdf
    • http://wrinklestiltskin.com/fisiopatologia_del_asma_2016y0hqx.pdf
    • http://sodaapp.club/pumevukatiwsv7pd.pdf
    • https://fogisavelubid.weebly.com/uploads/1/3/5/2/135299906/649eb0bd3d1c4.pdf
    • http://julivojurukumu.sportsontheweb.net/how_often_do_brittle_stars_eat.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gakamaxoluzes.atwebpages.com/xamur.pdf
    • http://nokejufesuw.atwebpages.com/business_productivity.pdf
    • https://52a72965-a6d2-471e-b66a-59a59a4d663b.filesusr.com/ugd/e643da_2056e9e8c47b4e28ae1d73b41da466f8.pdf?index=true
    • http://bopubinenunoxow.rf.gd/what_is_the_definition_of_dating_violence.pdf
    • https://da4cb982-96ac-4827-b01c-1601b1c9977c.filesusr.com/ugd/b05c40_2f88642f69e248a9bc18d45bf51fce06.pdf?index=true
    • https://627f215e-41ba-4aa4-9906-5f9f9d117739.filesusr.com/ugd/8ab72e_73d5af52eb1848218624a4c8ba0e1e6f.pdf?index=true
    • http://napubuxuwel.epizy.com/skin_and_soft_tissue_infection_guidelines_idsa.pdf
    • https://8eefcaf3-52f5-4123-8be5-b1f0aaeea45e.filesusr.com/ugd/1d3654_9afdcba61d54419ca7a7d4ff36e6c893.pdf?index=true
    • http://wosipofu.rf.gd/breviario_romano_download.pdf
    • https://c03439ef-6557-4199-865e-586791a52b6c.filesusr.com/ugd/6bb4a2_08f041b90a644646bffa4da5371530bf.pdf?index=true
    • https://s3.amazonaws.com/loranoduzuja/juzokaruxekavikokibozelup.pdf
    • https://s3.amazonaws.com/fewunadupop/78667539713.pdf
    • http://fidajakafitota.epizy.com/zitodepekek.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efff.bin
5c96c236f27a9dc627558624f6a2ce1aad07b747f2a249b51c4dab24ab2d82d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFFF 5104 bytes
font_01_sfnt_off0001017e.bin
637278c77ef7c907006cace4027ca9017824c1371dd54768a0e7db8e62b7a392		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1017E 10604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.