Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0521b767c7ca4df…

MALICIOUS

PDF

332.3 KB Created: 2022-05-26 17:43:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2022-07-15
MD5: 46f656be34645e7ded91540bde94d0f0 SHA-1: 16d6514a8974b6ede0f05eb8c1e970b1df7e6ef3 SHA-256: d0521b767c7ca4df0c143f68322ce809e284a4469ae4dbfa79cd092b7dda2582
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. It contains embedded URIs pointing to external websites, suggesting a phishing or credential harvesting attempt. The primary malicious URI identified is https://norin.co.za/XSRYdR1H, which is likely used to deliver a secondary payload or redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7163

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://norin.co.za/XSRYdR1H?utm_term=cat+3406e+service+manual+online+book+free
    • http://ghespanail.com/fckeditor_userfiles/file/23455684457.pdf
    • https://kogevinipuban.weebly.com/uploads/1/3/4/5/134514077/zaxogoniw.pdf
    • https://tatabakag.weebly.com/uploads/1/3/4/8/134885094/vixakiwezajomod.pdf
    • https://xubesudovenij.weebly.com/uploads/1/3/4/5/134522980/ginavukiwupolipixif.pdf
    • https://uleiuri.ro/userfiles/file/16422583107.pdf
    • https://pedidifapa.weebly.com/uploads/1/3/0/8/130874671/9810459.pdf
    • https://zokokemakate.weebly.com/uploads/1/3/1/4/131454090/suvefe_tepun_pugir_busudox.pdf
    • https://vetigepar.weebly.com/uploads/1/3/5/9/135989985/punevovusawomi_lupobobe.pdf
    • https://bunewapatevew.weebly.com/uploads/1/4/1/8/141895586/44a450.pdf
    • http://egimmo.ch/kcfinder/upload/files/37126479205.pdf
    • https://intersensor.ro/v2011/Files/fck_upload/file/12750307779.pdf
    • https://pesawesezopi.weebly.com/uploads/1/3/4/3/134327800/5905257.pdf
    • https://wagimudo.weebly.com/uploads/1/3/4/4/134475497/3051404.pdf
    • https://wajabanafeku.weebly.com/uploads/1/3/4/5/134599300/193165.pdf
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/cee54c77e7a1a015c1d65f86c78b3914/43265152164.pdf
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/16285fe62e9793---10281553244.pdf
    • https://muduvupetidajo.weebly.com/uploads/1/4/1/5/141584730/jawasozawu-jezira-woguxojog.pdf
    • https://lugilalosu.weebly.com/uploads/1/3/4/3/134314137/tebideku-putinotenudeviz.pdf
    • http://acetuitioncentre.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1625fd335dce1f---zososufefapaja.pdf
    • https://xazalonabi.weebly.com/uploads/1/3/6/0/136086847/8808223.pdf
    • https://tipidaxu.weebly.com/uploads/1/3/0/7/130739537/907c24b63.pdf
    • https://gejuzutoxabo.weebly.com/uploads/1/4/1/3/141312052/7405337.pdf
    • https://janpaksh.org/Content/uploads/files/9145534427.pdf
    • https://tovijivesigaz.weebly.com/uploads/1/3/5/3/135327805/9686072.pdf
    • http://www.anespo.pt/sgc/Assets/Plugins/CKEditor/kcfinder/Uploads/files/13405629257.pdf
    • http://muszosz.hu/_user/file/raxibidodage.pdf
    • http://osingenieria.com/images/admin/file/bepaxifavavukinip.pdf
    • http://cppzone.ru/users/blogs/file/97150832353.pdf
    • https://rurovipodi.weebly.com/uploads/1/3/4/0/134096689/vivotara-begamupu-xadusomef-tesozinerufi.pdf
    • http://xn----dtbsgbucafmmaf.xn--p1ai/servimages/editor/files/53419535539.pdf
    • https://vuwapelenepaje.weebly.com/uploads/1/3/4/7/134705438/nazajavadov_wiwewomoguxeni_memunaremojer_jujubu.pdf
    • https://pudupujaw.weebly.com/uploads/1/3/0/8/130813100/tazudil_jonokukusoti_gepudowelevaxo.pdf
    • http://www.guard.ee/kcfinder/upload/files/9427502688.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004c09c.bin
6d81dcb381699c6e2104f69c35e1e4850e6823dc25579b87322fdd1c758597c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C09C 11464 bytes
font_01_sfnt_off0004dbd2.bin
983e22007e4ec9dcc5f98a9a7b8f26b745eef0dd315a1ae0e772f6ae5ebc31ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DBD2 17252 bytes
font_02_sfnt_off000508e7.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x508E7 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.