Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0d550a73ecb2b1a…

MALICIOUS

PDF

97.4 KB Created: 2021-03-22 03:44:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 343453b29cd1b62687c9b07afac310bb SHA-1: babdd61d141fb0c5a05702298849a62e8763433a SHA-256: d0d550a73ecb2b1a6f4458aeb0a7d98d9b33ed95b2b9a02664beea4966138d43
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain, identified as malicious by ClamAV and a machine learning classifier. The document body, though heavily obfuscated, suggests a lure related to '50 shades of gray 3 soundtrack' to entice users to visit the malicious URL. No scripts were extracted, but the PDF structure itself facilitated the embedding of the malicious URI.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=50+shades+of+gray+3+soundtrack
    • https://digojumowixev.weebly.com/uploads/1/3/5/9/135989627/9088158.pdf
    • http://tobalalupuvobiv.iblogger.org/kgf_audio_songs_telugu_lo_ing.pdf
    • http://bibuzikufaje.mygamesonline.org/how_to_reset_linksys_range_extender_to_factory_settings.pdf
    • http://xufozelit.iblogger.org/75599526884.pdf
    • http://kijuguwosaxo.22web.org/hockey_share_practice_plan_template.pdf
    • http://dusibarupuguli.medianewsonline.com/what_order_to_watch_marvel_tv_on_netflix.pdf
    • https://bebadivinokad.weebly.com/uploads/1/3/4/6/134604253/5092130.pdf
    • https://tadegelu.weebly.com/uploads/1/3/4/7/134734806/2818683.pdf
    • http://faladen.22web.org/99147350394.pdf
    • https://gukepofefefika.weebly.com/uploads/1/3/1/4/131437977/mojisubevejofikan.pdf
    • http://lebojabufi.medianewsonline.com/zukepago.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://sisuraregimu.rf.gd/c_l_a_y_clay_video.pdf
    • https://425e2ee7-996f-4c6d-a593-b44a2a39b733.filesusr.com/ugd/bb05c1_6fec0b906e0c4479999c8e07054dee5c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/19c81eda-63d8-4f4e-bad2-cdb5fad23b63/contrato_de_arrendamiento_forma_minerva.pdf
    • http://nafaradevofipaf.myartsonline.com/64363405215.pdf
    • https://7133fc40-0b9c-4701-b953-e7fafc934b44.filesusr.com/ugd/70a38d_6dd93a7d720d4714aa2f74d7ded9bc6c.pdf?index=true
    • http://miviloliwibo.rf.gd/bacterial_meningitis_guidelines_idsa.pdf
    • https://ed4d48c2-14ea-47f5-a89a-b82193587323.filesusr.com/ugd/8ce377_7079a597bb4d4276a8dd819460dfc835.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2aef8bea-cae3-4b36-be62-fab3f503bd09/39153626014.pdf
    • https://uploads.strikinglycdn.com/files/d79c338f-4f58-402f-8617-93d9661d58dd/60251068816.pdf
    • http://kegipufi.rf.gd/bisectors_of_triangles_5-_1_answers.pdf
    • http://gizejofak.epizy.com/que_es_la_anemia_ferropenica.pdf
    • https://uploads.strikinglycdn.com/files/eb43bc38-e9ac-44be-91d3-c21c4df16071/64636777826.pdf
    • http://xilutetixu.epizy.com/37695748212.pdf
    • http://nufufud.epizy.com/15309223459.pdf
    • https://uploads.strikinglycdn.com/files/0390639f-f94d-4fbc-ade7-62d6882e24ad/61090571360.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011f69.bin
5901c8c60479d68ab26e6e9c366e7e5c55453f8584a248ec7601253382041cf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F69 6236 bytes
font_01_sfnt_off0001346c.bin
2b7b74934d48eea40dd96dffb01ee978f9ed14f0dc00e6e88d17977b791f4025		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1346C 5752 bytes
font_02_sfnt_off0001480c.bin
442f1b4626b82818f1c84ad2f7a1c9171deefca8f5d5ce8d8088f0410630013d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1480C 15552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.