Malicious PDF — malware analysis report

Static analysis result for SHA-256 dae6a181fbdc35ab…

MALICIOUS

PDF

77.2 KB Created: 2021-03-28 15:27:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 253675db204ea7ba6088d9b014e2eeb6 SHA-1: 5df2524d7fbc543c19c4ae06ae1264c7733fd79f SHA-256: dae6a181fbdc35abc8cdf5a1619ca406a765434b00c0eddd7742ee04e1f5a38b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL `https://soxebez.ru/award?keyword=lobes+of+brain+pdf` suggests a phishing or scam lure, attempting to trick users into visiting a malicious site. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a malicious document designed to lead users to harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=lobes+of+brain+pdf
    • http://vexetifiridik.mypressonline.com/fusionner_2_jpg_en_1.pdf
    • https://static.s123-cdn-static.com/uploads/4366660/normal_5fdf3d38eb5a4.pdf
    • https://cdn-cms.f-static.net/uploads/4391893/normal_605be78da7dfa.pdf
    • https://cdn-cms.f-static.net/uploads/4497687/normal_600d612fd64da.pdf
    • https://static.s123-cdn-static.com/uploads/4492871/normal_5ff891848e6ce.pdf
    • https://static.s123-cdn-static.com/uploads/4466680/normal_60009f4feb339.pdf
    • http://dusibarupuguli.medianewsonline.com/adjetivos_posesivos_en_ingles_exercises.pdf
    • http://gefosezidubajoz.scienceontheweb.net/sandeep_garg_accountancy_class_11_solutions.pdf
    • https://cdn-cms.f-static.net/uploads/4416802/normal_60101022c0f9d.pdf
    • http://desajegurake.scienceontheweb.net/skyrim_slow_time_command.pdf
    • https://cdn-cms.f-static.net/uploads/4452199/normal_6039f5fa473b4.pdf
    • http://duzegotola.medianewsonline.com/oxigenoterapia_2020.pdf
    • https://cdn-cms.f-static.net/uploads/4451356/normal_603b5f34367be.pdf
    • https://cdn-cms.f-static.net/uploads/4366036/normal_603716df6a4e1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://luvabokinoleg.onlinewebshop.net/acer_v5_battery_plugged_in_not_charging.pdf
    • http://zutugidod.onlinewebshop.net/pajovorajebanilasas.pdf
    • https://uploads.strikinglycdn.com/files/edbbc394-8499-4b9b-a1be-d5b698460be9/46421663361.pdf
    • https://uploads.strikinglycdn.com/files/560ef2d9-cec5-4501-b747-2f569837021b/english_tenses_exercises_pre-intermediate.pdf
    • https://uploads.strikinglycdn.com/files/7d5f55fd-bdeb-43c8-a42e-99fc2e4229dd/sadeja.pdf
    • https://uploads.strikinglycdn.com/files/2e82c9fe-b5b6-4c9d-9e00-39616b77d17a/48679116513.pdf
    • https://uploads.strikinglycdn.com/files/f141d619-71de-43f6-9bac-c9f47bbaa11f/legend_of_zelda_theme_trumpet_solo.pdf
    • http://xiwozoget.atwebpages.com/storytown_phonics_practice_book_grade_2.pdf
    • https://uploads.strikinglycdn.com/files/2cccddda-05a4-4fa8-bcf4-0da866dc4591/descargar_la_biblia_reina_valera_1960_letra_grande.pdf
    • https://uploads.strikinglycdn.com/files/99b4f593-e499-415b-9a05-99419f6fb85c/43191049279.pdf
    • https://uploads.strikinglycdn.com/files/5221bea3-a482-4e53-b5a2-3f3570a4b69c/xepil.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f114.bin
82202c1a86ecdc9133c329607d7f2b2c4709f0d592cddc6f0a1484d8badd989c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF114 5084 bytes
font_01_sfnt_off00010269.bin
040648c3f80a46dd457a8ff9ff319eae145233075ecd1ef004724e3e5753a49e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10269 11004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.