Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce7e88ee9292cbda…

MALICIOUS

PDF

320.5 KB Created: 2021-04-02 10:48:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f4f18bf5ea1b67f88038cc0872703944 SHA-1: 929b5a05fcf0cfb16240a0db8430f926f877a8b3 SHA-256: ce7e88ee9292cbda6d81701177bf679983857b3c2cbde2dd8607034065172a31
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI that directs to a URL designed to mimic a search result for a specific book. This technique is commonly used in phishing or malware distribution campaigns to trick users into visiting malicious sites. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9674

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=holt+elements+of+literature+fifth+course+the+crucible+pdf
    • https://dikanutedageke.weebly.com/uploads/1/3/4/4/134457663/73c3e3a59.pdf
    • https://difanewoxapazu.weebly.com/uploads/1/3/5/3/135321324/begivesinigujuwofaro.pdf
    • https://gevafitasib.weebly.com/uploads/1/3/1/3/131380901/xidutapojomuba-fepijojulidagaj.pdf
    • http://gamukanemafutu.mywebcommunity.org/american_english_file_2.pdf
    • http://kengoru.space/125387241069gc69.pdf
    • http://meinekarten.best/android_phone_reviews_20182bzm5.pdf
    • http://milanbeach.fun/3540957302iyd05.pdf
    • https://fatibetoliwan.weebly.com/uploads/1/3/4/7/134731660/d5dc738.pdf
    • https://ranixujofenak.weebly.com/uploads/1/3/4/0/134016935/4a8624eb4375c00.pdf
    • http://rawutunulodewo.iblogger.org/panasonic_viera_50_inch_plasma_tv_specs.pdf
    • http://fibaxoxadomi.sportsontheweb.net/37689303392.pdf
    • http://autolombardpro.ru/2232511361730o7e.pdf
    • http://gramnews.xyz/weekly_meal_planner_freesclhi.pdf
    • http://sirunome.mypressonline.com/27_amendments_quiz.pdf
    • https://fejuzewe.weebly.com/uploads/1/3/4/8/134883228/3459757.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e1bd05e7-a2ed-43df-b5fc-9bc8ee0b1a84.filesusr.com/ugd/08acf3_66c35444fcdb496da98cd2bdba212681.pdf?index=true
    • http://zudupaxub.myartsonline.com/where_to_buy_wahl.pdf
    • https://488c2ff9-9ff4-499e-8f11-525115e20b22.filesusr.com/ugd/8aba0c_9a11a82ed6c3433fb66df5efcc9cd5aa.pdf?index=true
    • https://044e8d80-c429-4a1f-820d-9b443c65b389.filesusr.com/ugd/53c654_8f121e6ff77245d4ba58009688263896.pdf?index=true
    • http://toratolobojede.rf.gd/69582228993.pdf
    • https://4eb3a9b5-ca6a-4b2a-896e-878abc754f3b.filesusr.com/ugd/f1ab86_ae6b57781a654ae09a938d4f3dad0929.pdf?index=true
    • http://vivemowirarok.rf.gd/nobin.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00048625.bin
a86e1a610d5442e65c1edb8142c707188513655794a5ffc15987c8c94a1ce125		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48625 9220 bytes
font_01_sfnt_off0004a410.bin
f5515050e77a717d59cf35822873d1a29634c2e59fce7d57fa034bde5d8c9c7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A410 5496 bytes
font_02_sfnt_off0004b687.bin
1f7893601227280b2e3d985d350ca53e9787dd69994f2b7eb3a4050246ea1367		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B687 24412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.