Malicious PDF — malware analysis report

Static analysis result for SHA-256 da7ecbb307dd13ab…

MALICIOUS

PDF

81.7 KB Created: 2021-03-22 22:54:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 448806d271e082fc68a7f9f513f7a286 SHA-1: 4f077c34b5787a06ce32d2f5ba376db54298b23d SHA-256: da7ecbb307dd13ab412b545c8a97753a55460d02fef06792500cdc3b30f3715a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which likely serves as a lure for downloading further malicious content. The document body, though heavily obfuscated, suggests a search result context, reinforcing the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=nikon+p510+manual+pdf+download
    • http://debopuforu.22web.org/tovogoweseko.pdf
    • http://tadosuzewamu.medianewsonline.com/harry_potter_book_6_summary.pdf
    • http://negozio50sconto.info/zilefogiseridebadibivo6ngo.pdf
    • http://alphabitx.com/que_es_problema_de_investigacion_en_un_proyectov4c7y.pdf
    • https://povejuzulegaje.weebly.com/uploads/1/3/5/3/135301343/2691048.pdf
    • http://grizhoff.ru/new_yorker_magazine_subscription_address_changewzklt.pdf
    • https://xipidutaz.weebly.com/uploads/1/3/4/4/134401361/rorisogesofakijuvo.pdf
    • https://lerizizevu.weebly.com/uploads/1/3/4/3/134314130/5627752.pdf
    • https://dafufiwe.weebly.com/uploads/1/3/4/3/134368649/povopojanizizimirano.pdf
    • https://wuzitefagoxu.weebly.com/uploads/1/3/1/8/131856046/sajabepuzu.pdf
    • http://milansit.space/game_genie_nes_classictz6sg.pdf
    • http://lazirog.mywebcommunity.org/ranazinilotekimekir.pdf
    • http://bukupiduge.mypressonline.com/goziwezaxotiduzavit.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kogopixipinal.epizy.com/capitalization_quiz_7th_grade.pdf
    • http://nitiparavedo.epizy.com/how_to_fix_submersible_water_pump_in_borewell.pdf
    • https://s3.amazonaws.com/bevarolimesale/accelerated_learning_free.pdf
    • https://uploads.strikinglycdn.com/files/4f32dcb5-7fb0-44e0-9114-87a1c8d95471/bissell_little_green_portable_spot_and_stain_cleaner_1400m_reviews.pdf
    • https://uploads.strikinglycdn.com/files/c307785f-7bf6-4012-bf63-44808fea62dc/90220127360.pdf
    • https://s3.amazonaws.com/bezutu/29255725978.pdf
    • https://uploads.strikinglycdn.com/files/1e4b3f95-d101-408c-99c1-953ee10d57bf/conjuguemos_preterite_vs_imperfect_2_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/602f2c3a-c647-40cc-a484-bdcf751506bc/zuvelogepem.pdf
    • https://s3.amazonaws.com/kezemiradigu/47131613700.pdf
    • https://uploads.strikinglycdn.com/files/490f3533-c030-465f-bcb1-313001a1e1a4/6725803171.pdf
    • https://s3.amazonaws.com/fatisake/entrance_exam_2019_questions_and_answers.pdf
    • http://bevunogigofijag.rf.gd/wilot.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff6f.bin
81f8058e2a2e9bc1549bc43c52efed5cea5f4eaead2daba379d76a31064f861b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF6F 5356 bytes
font_01_sfnt_off000111c0.bin
5e700f579074ce292c999e9a57215b607d3e4956697a2a0fc8dfd1a19a0fe6f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111C0 10988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.