Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc7ff6824f7162fd…

MALICIOUS

PDF

79.2 KB Created: 2021-03-27 23:30:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2b2bf6015bd869928504593c22caccd1 SHA-1: 7ec30415bccb7a1e3b71ce8e1f715c0a3e497bc4 SHA-256: cc7ff6824f7162fd909c0a0886bec374c39c5761490386a062562310f0a2d57a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file is detected as malicious by ClamAV and an ML classifier. It contains an embedded URL that leads to a suspicious domain, likely for phishing purposes. The document body, though heavily obfuscated, appears to be a lure related to a product manual, aiming to trick users into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=braun+series+7+790cc+manual
    • http://vazawujuzu.sportsontheweb.net/james_and_the_giant_peach_summary_chapter_36.pdf
    • http://sagapopefa.iblogger.org/sentry_safe_lock_replacement_parts.pdf
    • https://cdn.sqhk.co/namaboniki/jjhwjav/final_fantasy_8_adamantine_drop_rate.pdf
    • https://cdn.sqhk.co/suwapipejob/oPhejgZ/playstation_app_pc_chat.pdf
    • https://cdn.sqhk.co/futevanu/idOifw0/survival_on_raft_ocean_nomad_mod_apk_download.pdf
    • http://zabemaladameg.medianewsonline.com/2011_bmw_328i_service_manual.pdf
    • https://cdn.sqhk.co/rowubuvuke/ijgcjoa/fantasy_premier_league_winner_2019_20.pdf
    • http://gofimowekes.66ghz.com/trombone_sheet_music_jazz.pdf
    • http://wusator.mygamesonline.org/98113584544.pdf
    • https://cdn.sqhk.co/gapevusa/fGpji48/gotowiz.pdf
    • http://xubajur.mygamesonline.org/zefifere.pdf
    • https://cdn.sqhk.co/sodovokak/MGiijhR/maniacal_monkeys_bursting_guide.pdf
    • https://cdn.sqhk.co/vafegijateno/Bpjhhh0/malelaxu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://benamow.myartsonline.com/gomizixitow.pdf
    • https://044e8d80-c429-4a1f-820d-9b443c65b389.filesusr.com/ugd/53c654_e74db9432fd84739a2b1fec98cf57408.pdf?index=true
    • http://suxaxisanu.rf.gd/80227411090.pdf
    • https://uploads.strikinglycdn.com/files/2f5f08b2-acfd-4890-97d3-cf309290a34f/run_on_sentence_worksheet_third_grade.pdf
    • https://uploads.strikinglycdn.com/files/21c30d4e-5c28-43bd-a06c-b40136eeed80/will_an_evap_line_be_pink.pdf
    • https://uploads.strikinglycdn.com/files/1d082628-03ad-4825-a62b-cf4eb924d71d/first_alert_test_sequence.pdf
    • http://gotikomerutoj.rf.gd/tofenakebugoreloxakapame.pdf
    • https://30cc9e9c-6145-4029-bfdc-d0561bdb3a10.filesusr.com/ugd/0dcf4b_2665b158f3b4479097d191b98eb49a2e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4e0f44b8-8c43-4a8f-90b1-7eafbb816819/best_whittling_starter_kit.pdf
    • https://d6aab468-caab-4d9e-910f-d3bf64ae4104.filesusr.com/ugd/5438e3_e867d412d949440683e4af95c29556f3.pdf?index=true
    • https://5a995288-ce6f-4ae3-a3e6-14272d8003db.filesusr.com/ugd/7be1cd_b79bd17b33484f449cc40bb49a219a8d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8a387a97-6469-4c00-be94-f2557e8599e0/taremazu.pdf
    • http://rivagajogitow.epizy.com/anemia_gravis_adalah.pdf
    • https://45e41439-46a4-4c97-84f0-155cfeda4cef.filesusr.com/ugd/9d7ad9_9da759d6d0404fac9adf9d7dc470f62a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f68a.bin
45ab27f1c263fb1f92cf4e47bb983acb1a77f512015c38721ea7f2731e0c7ffc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF68A 5372 bytes
font_01_sfnt_off000108b6.bin
293595a106862d93beea6df1d87c878d3a3fda765e58f129efc047dbd4a05def		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108B6 10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.