Malicious PDF — malware analysis report

Static analysis result for SHA-256 d49ce6ef9ac82fed…

MALICIOUS

PDF

118.0 KB Created: 2021-04-06 13:19:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6824dcc2399f62743e246f2b6d8bce4 SHA-1: 7a41e5900c8d699ac4aef568380825c49cb24f01 SHA-256: d49ce6ef9ac82fed738bb28956e0af836424316aece2ce3ae8d5c1f177296070
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing or malware distribution. The document body, though heavily obfuscated, appears to contain keywords related to popular culture, suggesting a lure to entice users to click the malicious link. No scripts were extracted, but the presence of the malicious URL and the ML classifier's high confidence score indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9814

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=harley+quinn+and+joker+pictures+together
    • http://semengergel.ru/how_to_teach_a_3_year_old_to_draw_a_personrgsr2.pdf
    • http://potenciy.xyz/exercices_quadrilatres_cm2__imprimwb3w4.pdf
    • http://lefomasa.22web.org/behaviour_support_plan_sample.pdf
    • http://kodupebomabugu.iblogger.org/against_medical_advice_book.pdf
    • http://1xbet-football.fun/peak_secrets_from_the_new_science_of_expertise_kindlee9vz2.pdf
    • http://pigokakiw.iblogger.org/vorivuva.pdf
    • http://card2card.live/93385024039sh27m.pdf
    • http://rewokujow.scienceontheweb.net/98963070781.pdf
    • http://remont-kvartir-otzyvy.moscow/midakotejudivapetawipum0nmsr.pdf
    • http://masirudukumope.iblogger.org/nagikixupazotibirozez.pdf
    • http://znalomstvavip.site/jinabadzszp.pdf
    • http://sinujob.22web.org/syntactic_categories.pdf
    • http://galoomer.online/pipalet29ub.pdf
    • http://ecoservice-vlad.ru/70193485382vchuj.pdf
    • http://idealica-columbia.site/super_placar_futebolseg0j.pdf
    • http://vertitribe.store/kekojuvexisogokemisadozirb3qsw.pdf
    • http://securespot.ru/zivuxexukemovejiketake3epnj.pdf
    • http://20970907.net/vudojofateyids5.pdf
    • http://goodsun.space/80498776226ym33w.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nopugorib.onlinewebshop.net/how_much_does_it_cost_to_repair_charging_port_iphone_7.pdf
    • http://matazovazer.epizy.com/4591805318.pdf
    • http://rivebop.epizy.com/inventory_discrepancy_report_form.pdf
    • http://pakafadudu.epizy.com/adjectival_phrases_worksheet.pdf
    • http://zuputes.atwebpages.com/is_haier_a_good_refrigerator_brand.pdf
    • http://vububajoli.rf.gd/meruzomumeni.pdf
    • http://lalemifeluruka.epizy.com/buwaxegonilagexel.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014dd7.bin
746cda19d0a45b0d6108c63ff8192b2f88c2fff5e5937e692a7cb04b31166607		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14DD7 6588 bytes
font_01_sfnt_off00015e51.bin
415bd98410bad039553995f7d8988f2fa5a3434df8c040cf6fbde66aa83d0618		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15E51 5664 bytes
font_02_sfnt_off0001718d.bin
a9019ea93ca8c49caaf8e9c370a88a294e9bdd03889c7a9fc8597def99d6f073		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1718D 5584 bytes
font_03_sfnt_off00018126.bin
69f22e7ff8ad772bcf7f1075000d3609bdac98da2ad40ee10f093fa85cf052d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18126 15972 bytes
font_04_sfnt_off0001b1c0.bin
bb524ea9c7ad77d97cb23dec40d12bf2fecde77611a465cd98bd84f7a3c3ad81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B1C0 16488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.