Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0ddb4f790eebe72…

MALICIOUS

PDF

74.3 KB Created: 2021-03-26 12:36:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 440f39e98e3c37c90777b03145af684e SHA-1: 13ac55a855555fc1913af0c94272e24f87d442e3 SHA-256: d0ddb4f790eebe7210028f3ac16cb9a8e354619ed8e9cf96feb0e13e7a5ab6c3
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is classified as malicious, exhibiting characteristics of a phishing lure. It contains multiple suspicious links, including one that is invisible and points to a domain designed to host malicious content. The document body, though heavily obfuscated, suggests a lure related to educational materials to entice users to click on these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=lesson+7.3+practice+a+geometry+answers+pages+412-420
    • http://vuroxinizona.scienceontheweb.net/vulufopu.pdf
    • http://securityofusersdevicesonline.site/89387666526qcxee.pdf
    • http://tinubawolu.mywebcommunity.org/69562009245.pdf
    • http://nadipewin.mywebcommunity.org/6488405061.pdf
    • http://dumubemajizukov.medianewsonline.com/kuzaj.pdf
    • http://devuweza.scienceontheweb.net/lovej.pdf
    • http://kutejovanog.getenjoyment.net/ketekivebimob.pdf
    • http://rbqjkwklnd.xyz/hx_stomp_update0c4vr.pdf
    • http://jaxagogilexet.sportsontheweb.net/xetuxakemofi.pdf
    • http://streamsweets.com/contemporary_behavior_therapy_6th_edition6ibf5.pdf
    • http://vadosaj.getenjoyment.net/pebupagesorenu.pdf
    • http://maturibcgj.space/total_quality_management_in_education_book75muz.pdf
    • http://betijeduw.getenjoyment.net/caucasus_map.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fenatagazise/foveguwabatop.pdf
    • https://uploads.strikinglycdn.com/files/89dc01de-74da-4204-aa42-5ab31b602c36/how_to_defrost_samsung_ice_maker_rf23j9011sr.pdf
    • https://uploads.strikinglycdn.com/files/e15e35db-9365-4816-9749-64e0e9e3817a/pezirivemakozesesawi.pdf
    • https://09d56968-2ae9-412d-ad86-e67dc63a1c23.filesusr.com/ugd/e8b91f_d5cbc03af3024a03b8ddfd793668a7ab.pdf?index=true
    • https://s3.amazonaws.com/poguvelefa/dymo_labelwriter_450_turbo_labels_office_depot.pdf
    • https://s3.amazonaws.com/dudujopixejikug/51318350603.pdf
    • https://uploads.strikinglycdn.com/files/37e8fe33-bc1c-4a5d-9ebc-7426828f188a/34005816620.pdf
    • http://kakasis.onlinewebshop.net/9910576826.pdf
    • https://36425c1f-c329-48aa-845d-1f8252cb45c8.filesusr.com/ugd/01d500_d83fe859b231420f89f9d3291bc25339.pdf?index=true
    • https://uploads.strikinglycdn.com/files/42026b8e-b8dd-451e-bb49-99eaf1887471/40827223840.pdf
    • https://69f6cc44-9198-4e41-bafa-43503dba92bf.filesusr.com/ugd/dec231_02815f6d5d6747f3bb24f15ac812f2bb.pdf?index=true
    • https://s3.amazonaws.com/nalifij/ledger_wallet_app_android.pdf
    • https://065b66ee-25d8-4381-b309-094abc4d823c.filesusr.com/ugd/2703e6_fd759baa43ee454a997c9b4871bd801a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e06a.bin
5434ae6c4d14f09277844f96192631a6c909d05f4a683cc72e7f9090657453d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE06A 6076 bytes
font_01_sfnt_off0000f53e.bin
b065c60425e63c281917220d61c5832a73762e30aa0f4e3c29ccdc1d43c49178		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF53E 10388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.