Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb7fe92c04a4b8f6…

MALICIOUS

PDF

72.7 KB Created: 2021-04-01 22:08:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3624c8c26e245a40377909ed25752d52 SHA-1: b74a448b2e975554e1ed21e9a51896c65141b875 SHA-256: cb7fe92c04a4b8f63cf04be0790958d2cae72f327b7bd61fc0392450c8d4d964
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The ML classifier and ClamAV detection strongly indicate malicious intent. The PDF contains embedded URLs, one of which is `https://zajinet.ru/wix?keyword=bosch+gll+2-45+parts`, suggesting a lure to a phishing or malware distribution site. While no scripts were explicitly extracted, the PDF structure and embedded URIs are consistent with techniques used to deliver malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=bosch+gll+2-45+parts
    • http://tilosag.mypressonline.com/42197714401.pdf
    • https://static.s123-cdn-static.com/uploads/4385869/normal_5fdcbd1bc318b.pdf
    • https://static.s123-cdn-static.com/uploads/4414174/normal_5fee9d34b3dc3.pdf
    • http://laserisesiseno.getenjoyment.net/calculus_and_analytic_geometry_key_book.pdf
    • http://nesebonuvobeju.getenjoyment.net/duwajikesokubiremiz.pdf
    • http://rigoditibalun.mywebcommunity.org/where_can_i_donate_dog_toys_near_me.pdf
    • https://cdn-cms.f-static.net/uploads/4412894/normal_5fea3a70ab5a4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e1318bff-d970-45e2-bcea-45481503a18b.filesusr.com/ugd/75a96d_e906cf832c2c45ae87994f02c2d9bcbd.pdf?index=true
    • https://s3.amazonaws.com/tuxalowafokuvo/appearance_and_character_vocabulary.pdf
    • https://uploads.strikinglycdn.com/files/e9f735b7-e5f3-4c2b-8f79-cdfcc7f8300e/78034740024.pdf
    • https://s3.amazonaws.com/tevomenil/tarot_deck_interview_spread_biddy.pdf
    • http://guseboses.atwebpages.com/collection_of_formal_letters.pdf
    • https://17673d3b-e5d0-4e0e-8211-f079fadf35f5.filesusr.com/ugd/13ae68_39c91481c5614b1eb8a7c3b5ad787bfe.pdf?index=true
    • https://s3.amazonaws.com/lanaladu/peptic_ulcer_surgery_guidelines.pdf
    • https://9df6e0af-a028-4e88-91ba-61a1b37318d5.filesusr.com/ugd/7c1f05_69523370d2e74d5191854ae7b6c47455.pdf?index=true
    • https://uploads.strikinglycdn.com/files/68395d01-066e-43b9-a3cb-d132402feeb2/fefofujisobo.pdf
    • https://uploads.strikinglycdn.com/files/36f873e9-0ab9-4ec5-8e7d-7714f4f1677c/whirlpool_cabrio_washer_codes_f5_e2.pdf
    • https://85fc0914-20e3-4f1c-be8c-de7e6f89f47e.filesusr.com/ugd/a44510_ea50105633fc4f8f829f4a9657b5f086.pdf?index=true
    • https://72dfff08-f6cb-4f5d-aaac-ebe71175d6a6.filesusr.com/ugd/c268f7_ab8bb9cadc4e4b8dbcd4f4659fd54240.pdf?index=true
    • https://fad58b31-c538-4d3f-828d-7998eec853b9.filesusr.com/ugd/7e6083_87e363c605ec4fa990f7fa8434cfd817.pdf?index=true
    • https://2a4065d7-883d-43e8-a524-7ce9aa4b4e88.filesusr.com/ugd/ccb1c6_70e992e0c73a496e9a0829ecf26b12ee.pdf?index=true
    • https://2ddc7431-ff91-46e9-9708-195efd6cc195.filesusr.com/ugd/ffe0d3_b8e5c78e64b247959a2443ce7f55669d.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de87.bin
ba76973caa3fe8fbb376169c8010055ada255a4db4ec1cae3774fee515a9bf3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE87 5620 bytes
font_01_sfnt_off0000f1b8.bin
8fa2b209efc6a16ffb0329bd41c55a7b37c052d9428c5c99c4c1f9dc5a704a27		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1B8 10560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.