Malicious PDF — malware analysis report

Static analysis result for SHA-256 d99bae12c37029eb…

MALICIOUS

PDF

175.4 KB Created: 2021-03-18 22:07:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bddcc77e0651b60e6a0a70e17babf25e SHA-1: d3705b2aef94835b5aa56ba6936356803293a1d6 SHA-256: d99bae12c37029eb2774645ef23d1ed34b9f0e1d50e4c78a58ea2ed09fe7f121
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URI pointing to a URL that appears to be a lure, disguised with keywords related to human rights. The presence of multiple unknown URLs suggests a potential download or redirection mechanism for a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9837

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=sejarah+hak+asasi+manusia+pdf
    • https://cdn.sqhk.co/burexewejam/jcjaOQh/rudenifil.pdf
    • https://cdn.sqhk.co/gasupewu/mNdjjje/xunagafojagevabajo.pdf
    • http://dobomasinuraz.iblogger.org/71647532315.pdf
    • http://netolenogafa.getenjoyment.net/buffer_solution_journal.pdf
    • https://cdn-cms.f-static.net/uploads/4425217/normal_604b728e49df9.pdf
    • https://cdn-cms.f-static.net/uploads/4377717/normal_602389b53be14.pdf
    • https://cdn.sqhk.co/fikalibumi/ggyhco7/hourly_schedule_template_google_docs.pdf
    • https://cdn.sqhk.co/lifudidu/Cih5uih/36283532697.pdf
    • https://cdn.sqhk.co/kekelivig/QtJgg0e/big_ideas_learning_geometry_chapter_5_answers.pdf
    • http://sezewadiwun.22web.org/lottery_grants_board_accountability_report.pdf
    • https://cdn-cms.f-static.net/uploads/4454968/normal_6012e06313e4a.pdf
    • https://static.s123-cdn-static.com/uploads/4422631/normal_5fe05bb47cd98.pdf
    • https://cdn-cms.f-static.net/uploads/4406466/normal_6041d7c7f268d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2aa0b900-127f-4603-a19a-6a731d3c9eb1.filesusr.com/ugd/5eaffa_855cb0a04d1c4821b07e48df2ab35470.pdf?index=true
    • https://72cdfa97-b5fe-44cc-9aa9-3142b5aa642a.filesusr.com/ugd/ee32c9_9f1b573889cb40feab7304307337390b.pdf?index=true
    • https://c245485c-e1a4-4c5a-9a2a-c465a95e53c8.filesusr.com/ugd/25f824_746de917113247efb55b46d4085bb458.pdf?index=true
    • http://wijobave.epizy.com/xasivaj.pdf
    • https://c44f4a6d-8922-4093-a150-c9e6b6244fdd.filesusr.com/ugd/b371d9_242db6ea24754b3b8b8d1d2c0473fa4c.pdf?index=true
    • https://57933e30-1e86-4cbe-ad2b-777cb72f9932.filesusr.com/ugd/235f1a_786ed57dc9d94e869dca0fb9109e40c3.pdf?index=true
    • http://riwugiboturom.epizy.com/arch_tempered_zorah_guide.pdf
    • http://satawakerexe.atwebpages.com/short_stories_nyc_restaurant.pdf
    • https://c931c956-7f53-4e4e-96dc-27d7f003ba63.filesusr.com/ugd/b80c10_74fd6a6d9c444e88912dca5589742173.pdf?index=true
    • https://1c985592-4fe2-425a-b8d2-7dc24782370c.filesusr.com/ugd/a13bc2_61b797a92b57408fb9c6058d23f9546b.pdf?index=true
    • https://580b68e3-2104-4118-ae5b-4f285de1c062.filesusr.com/ugd/dad7b5_4a3db278e98342eeb1c8a8e876fb6520.pdf?index=true
    • https://80172413-d145-4b71-b7cf-4a007d76ad29.filesusr.com/ugd/cacfd7_5afb1ec747be47fdb295100e24699be8.pdf?index=true
    • http://timodetunidup.epizy.com/camisa_polo_feminina_para_uniforme.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000291b6.bin
49ae6c796a70a702443dc21999c7dc63ea3449db580f920e86b2abf5424aa6a0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x291B6 18792 bytes
font_00_sfnt_off00025797.bin
98fa99717e9a3a72e05930cf5885cdb8227d42005d70a44db7e5dcec7d7b1cfa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25797 5492 bytes
font_01_sfnt_off00026a1c.bin
e0c816155c69863803ad30748c8a0ebc1e49a7a5618e292e9053db83b0f29e09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26A1C 12084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.