Malicious PDF — malware analysis report

Static analysis result for SHA-256 cefcb8f2b547c350…

MALICIOUS

PDF

165.7 KB Created: 2021-03-23 14:02:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 58aacafabf0cf0dc0a84f7a44ed55883 SHA-1: d9e1ae86128944e9484e9fcfde3bf0cd7e105cdd SHA-256: cefcb8f2b547c35037fe1a41d2d1e68989b38c00751a33000801a312684c2a8a
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an algorithmically generated URL that points to a malicious PDF, indicating an attempt to distribute further malware or conduct phishing. The ML classifier and ClamAV detection strongly support its malicious nature. While no scripts were explicitly extracted, the presence of external URIs and the heuristic firing for PDF_RANDOM_URL_LINK suggest the document is designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/award?keyword=arabian+nights+book+pdf
    • http://topcreditmonitoring.info/electron_configuration_pogilt8oqm.pdf
    • http://sabovibin.medianewsonline.com/digital_design_and_computer_architecture_solutions.pdf
    • http://graatorama.space/votanozoh4cxo.pdf
    • http://nakozek.mypressonline.com/fomofosafulixunisawewud.pdf
    • https://cdn.sqhk.co/viforoge/DjeGTQm/descargar_minecraft_pocket_edition_para_pc_windows_10.pdf
    • https://cdn.sqhk.co/diwewiduvaz/bgc56hs/odyssey_frog_jumping_from_the_top_deck.pdf
    • https://fipaziditude.weebly.com/uploads/1/3/4/4/134465794/sevowem.pdf
    • http://forkidsshop.online/soulseek_can_t_change_folderpbqkj.pdf
    • http://d2-club.ru/bossam_v6_gsc_ps346zdk.pdf
    • http://wiinorama.space/getifunosefogowuniteralugptxpb.pdf
    • https://jirogadipew.weebly.com/uploads/1/3/1/6/131606393/duzabekixidi-moxebiwomaxo-joxigilu.pdf
    • https://dofafurubes.weebly.com/uploads/1/3/4/7/134762343/lexakawovazi.pdf
    • http://manuximaxemeje.scienceontheweb.net/deziwuvebu.pdf
    • https://nabebumiz.weebly.com/uploads/1/3/1/4/131452902/vomorox_kifowozopidik.pdf
    • http://vuletotam.scienceontheweb.net/zivuwivukuvokimuzu.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a943cdc4-551e-4fd6-8842-bb1c82e441e2.filesusr.com/ugd/a0303e_15524d3a036c41ad9d5288fd842819a8.pdf?index=true
    • http://liroporuki.myartsonline.com/certificat_vente_vhicule_occasion.pdf
    • https://8eeb1f0a-0cdd-4c66-98a4-83777b49fb54.filesusr.com/ugd/64f9d2_d3ebac7f730f49c99a9f8688e1087165.pdf?index=true
    • https://efa91360-7c21-416c-9d60-3189e0beb381.filesusr.com/ugd/42ffc7_d05257492a5a455d9d195f2847ab7fa4.pdf?index=true
    • https://c63ca81c-6df4-4ec3-bc2e-8508f29a6879.filesusr.com/ugd/d48fe3_5d9099b7a3034ba899b23fd2b08c686d.pdf?index=true
    • https://eda93683-a6ca-45e9-8056-ca7adea7f1dc.filesusr.com/ugd/d655db_35e5b67ab06a40188dd16de8def8f705.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00025d4b.bin
2e9c7d761d49b2fbb406a6f5933c5c72f3fda5a985bb898c4018dd40415a2787		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25D4B 25112 bytes
font_00_sfnt_off00021d00.bin
674c4d70721813f40ca1044d433e0d741beee87f6080414f6da83970bbb08cb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21D00 5464 bytes
font_01_sfnt_off00022f8c.bin
69ece8c051dd3a02fb2d42ce2f79373986b8d89e6b36ab74543407d5b1773578		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22F8C 15552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.