Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2ff4e4e9f017e0f…

MALICIOUS

PDF

154.6 KB Created: 2020-11-11 17:39:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 32c66d8bf6dc9a01446206a20c88113b SHA-1: 1dffcc3dcd6c365eaa35de41b184b4f1f916c512 SHA-256: d2ff4e4e9f017e0f80d9923a7fc72dad43c44fbe14143ca3e49c378bfed8d7bb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that redirects to a phishing site, disguised as a game guide. ClamAV and ML classifiers strongly indicate maliciousness. The presence of embedded URLs and the nature of the content suggest a phishing attempt to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?utm_term=another+eden+boss+guide
    • https://vonubaxuted.weebly.com/uploads/1/3/1/4/131452839/0332cc312a195b.pdf
    • https://tisefujuset.weebly.com/uploads/1/3/4/4/134488269/b12218f17f5c27.pdf
    • https://tubumafipe.weebly.com/uploads/1/3/4/4/134458357/03fbbfa94bf05d.pdf
    • https://natagudere.weebly.com/uploads/1/3/4/5/134526504/tibujiwi_wodenoburax.pdf
    • https://biwawabagukolaz.weebly.com/uploads/1/3/4/7/134730268/901a31c1dff2f.pdf
    • https://pokumajapemen.weebly.com/uploads/1/3/4/4/134490217/mixuxasizaw-firesar.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kekunawi/free_phr_study_guide_2019.pdf
    • https://s3.amazonaws.com/domegagowevag/77582374082.pdf
    • https://s3.amazonaws.com/gonavo/sat_physics_subject_test_dates.pdf
    • https://s3.amazonaws.com/tetazino/95178348776.pdf
    • https://s3.amazonaws.com/jijumupade/31936441569.pdf
    • https://uploads.strikinglycdn.com/files/df962176-de6a-450f-8898-00ccdab14959/2805264911.pdf
    • https://s3.amazonaws.com/degisapemifa/54774333455.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000228e0.bin
bbf34c0542126bfc7a9d09c019b91e01fc1f52f7052ad0ce9c9ddb610ebd26e8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x228E0 30300 bytes
font_00_sfnt_off0001f0b7.bin
34e6868d9c610a96416aa03905a46089d8a238437e441908060d0dc8fe4d2617		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F0B7 4976 bytes
font_01_sfnt_off00020199.bin
75ab18357221acaeaa4ce5dadb0d1bc2ee5ec7a3b7b1ebe706c954a6d864f6c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20199 11448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.