Malicious PDF — malware analysis report

Static analysis result for SHA-256 c90750e72fc50fd9…

MALICIOUS

PDF

88.3 KB Created: 2021-02-24 02:02:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 14b3f3b5ecec57bb045669bf8d3089c8 SHA-1: e12bc754d74c1ce3da3d81926ede9bc5b8468c38 SHA-256: c90750e72fc50fd99cebb93872ef3a20cd09a99ca83d475ddb14649cd7c42f23
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains embedded URLs, one of which is associated with a phishing lure related to a smoker firebox replacement. The ML classifier and ClamAV detection strongly indicate maliciousness, likely a phishing attempt or a downloader for further malicious content. The presence of embedded URLs suggests an attempt to redirect the user to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/aws?utm_term=brinkmann+offset+smoker+firebox+replacement
    • https://cdn.sqhk.co/somisafeg/ggjfZR8/82339302390.pdf
    • http://wogaxuma.22web.org/belling_double_oven_user_manual.pdf
    • https://cdn.sqhk.co/tezizejaropu/whdgOhh/mashup_songs_online_free_without_download.pdf
    • https://cdn.sqhk.co/ruwonumatag/Oje93id/digicel_international_app.pdf
    • https://cdn-cms.f-static.net/uploads/4368951/normal_601935703aa93.pdf
    • https://cdn.sqhk.co/lukumuzu/Q57ggji/63263423368.pdf
    • http://razajegusut.22web.org/15264863755.pdf
    • http://nupigit.22web.org/nutanorekuw.pdf
    • https://cdn.sqhk.co/kavejufa/wijKrib/redstone_maps_for_minecraft_pe.pdf
    • https://cdn.sqhk.co/bapisolel/rhchfRf/em_vs_en_dash_examples.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fuwuzerijofa/55790036119.pdf
    • https://s3.amazonaws.com/geraromu/fefozepo.pdf
    • http://jofisakukobi.rf.gd/redowewe.pdf
    • http://zonisitis.rf.gd/puporidobawotefekaju.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001187a.bin
c336003649782a7a7c59c8dd79cf98b20fd35ed9aeacdb77927d2f2d9aa537a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1187A 5480 bytes
font_01_sfnt_off00012b0e.bin
ad9080590f3abdb2dd387889b6b911aa569c160403a2e6b91a8e9428c7045016		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B0E 12192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.