Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbb1cd0874752bc4…

MALICIOUS

PDF

71.0 KB Created: 2021-04-04 14:09:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5b72b7d70f6ed7126a022db4ca960332 SHA-1: 2cecb3f6bb12e751fd61098a2d16a2704f95553c SHA-256: cbb1cd0874752bc4485847999af21606ede39eaae7c117296ec71b3f1ad007b8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ClamAV as Pdf.Phishing.Trojan. The embedded URL, 'https://leonvi.ru/wix?keyword=castlevania+aria+of+sorrow+rom+free+download', suggests a phishing lure disguised as a search result for a game download. While no scripts were explicitly extracted, the ML classifier and ClamAV detection strongly indicate malicious intent, likely involving redirection to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/wix?keyword=castlevania+aria+of+sorrow+rom+free+download
    • http://wagagawoduzom.iblogger.org/barbie_cartoon_images_free.pdf
    • http://nadahul.ru/java_8_stream_map_filter17bl4.pdf
    • https://cdn-cms.f-static.net/uploads/4369908/normal_604424a287d94.pdf
    • http://sysfix.ru/vekebalijigugisoweowhkc.pdf
    • https://cdn-cms.f-static.net/uploads/4450430/normal_6038259494a1b.pdf
    • http://lofitner.buzz/572298668945q1ft.pdf
    • http://pc-remont.website/funijaa1wkd.pdf
    • https://cdn-cms.f-static.net/uploads/4451752/normal_606152c558b84.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bfead995-126f-48f7-adca-19de8e61df23/symbol_ls4278_barcode_scanner_setup.pdf
    • http://xuxamasisovuku.epizy.com/reading_comprehension_worksheets_for_grade_10.pdf
    • https://uploads.strikinglycdn.com/files/1f117dcd-7257-4643-9396-58b9e5af76f2/how_to_collect_on_a_judgment_in_texas.pdf
    • https://uploads.strikinglycdn.com/files/34af7235-98de-4eab-800a-235c006e2b63/mosasibubuworozekalibegib.pdf
    • https://uploads.strikinglycdn.com/files/1810afe3-4ad0-45eb-b2fb-61e48d166842/la_divina_comedia_resumen_corto.pdf
    • https://uploads.strikinglycdn.com/files/928061fb-cab7-43db-ad3a-9465fbab711a/vowul.pdf
    • https://uploads.strikinglycdn.com/files/7288b51d-e7b6-4e0d-945f-8eedca24afe5/sex_offender_risk_assessment_tools.pdf
    • https://uploads.strikinglycdn.com/files/534ee4d3-3613-49d0-a78c-7f44685fae6b/diwejujoz.pdf
    • https://uploads.strikinglycdn.com/files/7c68dc0b-6895-4a63-a62d-bf8af32076ae/96331762364.pdf
    • https://uploads.strikinglycdn.com/files/66c97c26-c951-4d0e-8277-b11238e9f786/how_much_is_rainbow_vacuum_in_the_philippines.pdf
    • https://uploads.strikinglycdn.com/files/2e70a66d-e94b-47c9-92d6-a08472cf9eaf/13194054649.pdf
    • https://uploads.strikinglycdn.com/files/1bd25da4-4bdd-458c-a97d-fd167f343576/kuzatowifokiwulosajas.pdf
    • http://sudamobajo.epizy.com/wivotegefotamanovarani.pdf
    • http://pizigafonemowu.rf.gd/61700957781.pdf
    • https://uploads.strikinglycdn.com/files/4e16611f-415f-4505-a815-1e860f79c83f/niwumutagenijarivugisotub.pdf
    • https://uploads.strikinglycdn.com/files/aec596f8-827a-4c8c-b148-484d723a54f3/10634506591.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da72.bin
40bf7c4ada92acf3a1791d6ce0f37eec97ad9c6da4b55cfa18a4726b639b7959		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA72 5112 bytes
font_01_sfnt_off0000ebcf.bin
df868ac1006d7afa25607c23b0d58a4d407e0bf11053a51b0b667fc5e476a349		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBCF 9936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.