Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbf779de39cf2a5c…

MALICIOUS

PDF

138.6 KB Created: 2021-04-24 23:40:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cf949e630b125c6352c938e4a25c2c71 SHA-1: bd968cd4f42bceb935b2986d0bece00860183eb6 SHA-256: dbf779de39cf2a5c685e248f9a4de00ac6e3b9e8d64cfc041e8c0c65e9af84a9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that appears to be part of a lure, directing users to a site related to a car model. The presence of PDF_URI and EMBEDDED_URL heuristics indicates the document is designed to interact with external resources, likely to download further malicious content or redirect the user to a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=2006+chevy+malibu+ss+horsepower
    • https://cdn.sqhk.co/ketegobuto/2E6jfgg/dc_comics_next_movies_list.pdf
    • https://cdn.sqhk.co/raxinosi/jdXDqgd/update_chrome_android_apk.pdf
    • http://idealslimitalia-official.site/acronis_true_image_2020_upgradedcjz8.pdf
    • http://helpverifybadges.com/riwusujesexatesutdljy.pdf
    • https://cdn.sqhk.co/tawibonikigo/ePyyi0X/wowexoguvukevegepesu.pdf
    • http://instasavephoto.com/koxobaramikezap5e2qr.pdf
    • http://idealslim-italiaoficial.site/pivigibavrshz.pdf
    • http://kreativoblako.com/pardesi_anthem_video_song_hdeegn8.pdf
    • https://cdn.sqhk.co/disanefamu/NiaqhbT/zonirejus.pdf
    • https://cdn-cms.f-static.net/uploads/4475863/normal_60604dfbc429c.pdf
    • http://stat-index-co.com/single_variable_calculus_early_transcendentals_4th_edition_rogawski_adams_and_franzosav6rpf.pdf
    • https://cdn.sqhk.co/tategupet/Qic70xx/fastest_recorded_bowling_ball_speed.pdf
    • https://cdn-cms.f-static.net/uploads/4368506/normal_6062f2e65e44b.pdf
    • http://am-sound.ru/san_cassiano_italy_snow_reportum6p2.pdf
    • https://cdn.sqhk.co/vefusujix/jehj2ad/smart_balance_buttery_sticks_ingredients.pdf
    • https://cdn-cms.f-static.net/uploads/4492573/normal_6011a71b56982.pdf
    • https://cdn.sqhk.co/letarezetap/CsaOhdD/77800013952.pdf
    • http://idealica-italiaufficiale.website/zisimidapafeduwafitictnkw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tawovojo/78988061206.pdf
    • https://s3.amazonaws.com/salade/kambikuttan_cartoon_free.pdf
    • https://s3.amazonaws.com/jevopemosod/manual_chevrolet_onix_ltz_2014.pdf
    • https://s3.amazonaws.com/sedimeraxufi/blank_sheet_of_graph_paper_to_print.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001bb40.bin
65fea41d64a11f660f1b5b8cafc729083806698357eb60ed2b2aed9e61b2a2a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BB40 3696 bytes
font_01_sfnt_off0001c86d.bin
61d4ad7c3f2cc9e2deb92672bc0241c084d1a12df453bdd56a0ff249a254d009		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C86D 5900 bytes
font_02_sfnt_off0001dc66.bin
c3d7e466583d290da8cea60c12a189639d19993c63d2a1acc9b3cb8627c87805		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DC66 12416 bytes
font_03_sfnt_off000206f9.bin
9b1148babf9e53f7281b982efac3d21c1a74094b534bd71b1e866d856b9467d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x206F9 16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.