Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7564228591576e9…

MALICIOUS

PDF

261.8 KB Created: 2021-03-17 17:27:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72f5f97c1f64cb306368ec3781892596 SHA-1: 1a9ebf2b1a5488f50dbdf388520017a7a59acf9d SHA-256: c7564228591576e9f5e04d6570e988dc41a91e88cadd2d75576c8c65e25033d0
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains multiple embedded URLs and a heuristic firing for PDF_URI, indicating it attempts to redirect users to external malicious sites. The ClamAV detection and ML classifier further support its malicious nature. The document body, though heavily obfuscated, contains keywords related to 'summoners war hack', suggesting a lure for a game-related cheat, which is a common phishing tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7199

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=summoners+war+hack+no+verification+2017
    • https://berovifis.weebly.com/uploads/1/3/4/7/134730871/79ac1a16016a7d.pdf
    • https://nomomiwadij.weebly.com/uploads/1/3/3/9/133997716/ladafaxikofeve.pdf
    • https://rajevolid.weebly.com/uploads/1/3/0/8/130813967/a8969.pdf
    • https://rofixuninapo.weebly.com/uploads/1/3/5/3/135313709/koxinevajebodonax.pdf
    • http://return-0.com/dojajisigawovixedupuvo428sa.pdf
    • http://ravovenovibu.medianewsonline.com/how_to_write_roman_number_100.pdf
    • https://mututekabifu.weebly.com/uploads/1/3/4/4/134466573/pimogaguwesefut.pdf
    • http://luwinilulurop.mywebcommunity.org/46824347616.pdf
    • http://czecheducation.space/activity_18_cartonase3lozt.pdf
    • http://ramosek.iblogger.org/bullous_pemphigoid_treatment_guidelines.pdf
    • http://paselon.getenjoyment.net/muvilixoxupigesiga.pdf
    • https://lidovoji.weebly.com/uploads/1/3/4/3/134313359/wurokolapimar.pdf
    • http://alkim.xyz/the_birds_and_the_bees_full_movieyndhg.pdf
    • http://sehq.xyz/quais_os_tipos_de_grupos_sociais_que_existe16rgo.pdf
    • http://kakolamilasaru.medianewsonline.com/will_attorney_near_me_free_consultation.pdf
    • http://psylath.com/in_another_country_korean_movie2e5w9.pdf
    • https://surevasod.weebly.com/uploads/1/3/1/8/131856145/7d5aa36d.pdf
    • https://dexovepiniputo.weebly.com/uploads/1/3/4/4/134400909/1c96d0f5208.pdf
    • https://kenivefu.weebly.com/uploads/1/3/4/7/134715486/4a8dd5dddbd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://litorow.myartsonline.com/bullying_fisico_definicion.pdf
    • https://e691ad07-92dc-45fa-af10-8929b4045ede.filesusr.com/ugd/87b9a8_e3a20d89277a455f9ef4245a28d21ed2.pdf?index=true
    • http://sasofinifujilo.epizy.com/iso_iec_27001_defines_control_objectives_and_controls_for.pdf
    • https://e4da1597-3bb3-488b-9226-7c2c9e06e9ce.filesusr.com/ugd/db5d73_d7752009907f4b129fc5e1e5d9492225.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00038240.bin
90729a1328c0114eccbe966067b39aa5f3faa12d56f43ad831db50665020b12e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38240 3108 bytes
font_01_sfnt_off00038d78.bin
bef9bc7377971598986a28d4cda05c52025d871e0da637c9f241735eb9fff85a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38D78 5696 bytes
font_02_sfnt_off0003a0bf.bin
4caeb51d4b590a0a84df1fccaa5da34dd0bd3bc5ab1b5ecf23142834e05b9df1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A0BF 2392 bytes
font_03_sfnt_off0003aba7.bin
6351c17174086aad8db3fcb08fdb7268dad2233673fa9315fed1c823a3d02db3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3ABA7 18308 bytes
font_04_sfnt_off0003defc.bin
9580068983a0ff3322a385bc16a9079d4e4dd370a33803c8746aecf78b5f9663		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3DEFC 17516 bytes
font_05_sfnt_off0003f84a.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3F84A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.