Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb5fdb21d16a9b8c…

MALICIOUS

PDF

79.2 KB Created: 2021-04-07 18:54:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f508d0a3b5f1af06b52e0e6029eff776 SHA-1: d07edef9eb6f7e61e9f520cbacab88b6be8acf6f SHA-256: cb5fdb21d16a9b8c0bdb4ac164ddb4ee501d44eb58f4773d76dc17a504f67885
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document exhibits multiple indicators of a payment redirection lure, including heuristics for invoice/payment language, password-protected archive, and payment redirection. The embedded URL `https://xezojetit.ru/wix?keyword=payoneer+paypal+2020` strongly suggests a phishing attempt related to financial services like Payoneer and PayPal. While no scripts were explicitly extracted, the ML classifier and ClamAV detection indicate malicious intent, likely involving exploitation of PDF vulnerabilities to deliver a payload or redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=payoneer+paypal+2020
    • http://jolamuvinuma.iblogger.org/alfonsina_y_el_mar_para_piano.pdf
    • http://usmileofficial.site/why_is_my_linksys_extender_blinking_orangezuqke.pdf
    • http://sberhome.ru/how_to_design_a_price_listdtj2m.pdf
    • http://store50off.info/wozawolaroxomalr7l8.pdf
    • http://xuxikurov.mygamesonline.org/libosar.pdf
    • http://wiinorama.website/c_language_questions_and_answerszwmcu.pdf
    • https://lofemeraj.weebly.com/uploads/1/3/2/8/132814933/295944.pdf
    • http://carluxepaint.site/58810125694ebvv5.pdf
    • http://xidasetetobuge.scienceontheweb.net/jaredetudanijidome.pdf
    • https://riveveketudoj.weebly.com/uploads/1/3/4/7/134706505/e5da8d71711.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a815f367-2516-4b88-9496-eed07d5c1eb7.filesusr.com/ugd/665c20_6e4de8d249d6489d9dc1f9d0244e4e20.pdf?index=true
    • http://mofizubekeji.epizy.com/carnegie_learning_geometry_4th_edition_answers.pdf
    • http://gajewokutonixa.rf.gd/kuwenal.pdf
    • https://2a983b51-2e13-4971-8c1f-a5bca3ab4353.filesusr.com/ugd/e1a791_221bb90905f847518f57de94fc59a5ab.pdf?index=true
    • http://najusibajeful.rf.gd/ladidet.pdf
    • https://s3.amazonaws.com/bidurudilidujug/zugegisifedebevo.pdf
    • http://dufotom.epizy.com/caldas_aulete.pdf
    • https://s3.amazonaws.com/kujesulad/nurama.pdf
    • https://1ce8651a-bfbb-4b9a-b1bf-24b3b574775a.filesusr.com/ugd/ac72e0_1aa66cd4e10e485e8b9943a3d4eeafb7.pdf?index=true
    • https://cabae152-0d18-4cc7-9545-8711a89e332e.filesusr.com/ugd/607e04_3d21b70a133342a583baf92dad11ba45.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f822.bin
402e77550bf720f220498e12c440024a4e781d2e296354c57537d652e15b1c86		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF822 5012 bytes
font_01_sfnt_off00010945.bin
cd70b3058e66242c01fb7ea091f1d52a254ca17563e8442b345c7398189db723		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10945 11140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.