Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce8b8231e0e11fed…

MALICIOUS

PDF

78.3 KB Created: 2021-02-20 08:20:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 02a1cf11a99bebb788e8ec443bf1e67d SHA-1: 17216997dec40cce5ac7901dcf066036d4f08de6 SHA-256: ce8b8231e0e11fed17b90ca4dfea3e1c49a527df6966adb44f3f6bb814d82f42
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains an embedded URI that points to a malicious domain, disguised as a product guide. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution. The document body is heavily obfuscated, preventing a clear understanding of its specific payload, but the presence of external URLs is a strong indicator of a malicious lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=milescraft+saw+guide+for+circular+saws+and+jigsaws
    • http://maturibcgj.space/ingersoll_rand_air_dryer_error_codesdi6mk.pdf
    • https://static.s123-cdn-static.com/uploads/4414688/normal_60081adc4f4b7.pdf
    • https://static.s123-cdn-static.com/uploads/4386074/normal_5fe52f92567cd.pdf
    • http://jurofenopoxu.iblogger.org/the_dictionary_of_cultural_literacy_2nd_edition.pdf
    • http://bopepon.22web.org/does_not_name_a_template_type_error.pdf
    • https://static.s123-cdn-static.com/uploads/4459027/normal_60000cf3dc019.pdf
    • https://cdn-cms.f-static.net/uploads/4486220/normal_601448545370f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mefonevimimix/amanah_saham_bumiputera_annual_report_2017.pdf
    • https://s3.amazonaws.com/jusuberu/consent_form_template_for_interview.pdf
    • https://s3.amazonaws.com/sinadi/30496644754.pdf
    • http://towirasoruxapob.rf.gd/96781727965.pdf
    • https://s3.amazonaws.com/ravuxudibure/black_blue_wallpaper.pdf
    • https://s3.amazonaws.com/divexikav/anti_fraud_information_system.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4eb.bin
789a489b854f8e53cb617fd1aa967154cdfd795cc095f945bfc8bcf7a24a3ce0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4EB 5364 bytes
font_01_sfnt_off0001075a.bin
be3168e51c4a5257561276c8d442e42b4ac7ab4f73d90340206acfd470a2c13b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1075A 10580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.