Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc0fdb95b4223969…

MALICIOUS

PDF

80.3 KB Created: 2021-03-30 21:33:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3a5bb8b8188dabf7b8d74b0bf361a29e SHA-1: 1d073fb6ca58153b36ec41c0fcb6ad504881af99 SHA-256: dc0fdb95b4223969ff994cb77158b0305905bfa58bd890dac1b009a8b2ce3c37
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware distribution site. The document body, though partially corrupted, suggests a lure related to a 'Designated survivor' guide, aiming to trick users into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=designated+survivor+60+days+parents+guide
    • http://warowusavi.mywebcommunity.org/lawn_boy_honda_gcv160_oil_change.pdf
    • https://cdn.sqhk.co/pigevikuwi/jdgihgC/capsaicin_cream_shingles_cvs.pdf
    • https://zotaboxobur.weebly.com/uploads/1/3/6/0/136091523/1012029.pdf
    • https://luzafoku.weebly.com/uploads/1/3/0/8/130814295/sugabewofezinotido.pdf
    • https://mugebixivezir.weebly.com/uploads/1/3/1/4/131484268/798d5a08f.pdf
    • https://cdn.sqhk.co/fekigimuzib/jhRD6gj/88001684236.pdf
    • http://leririv.sportsontheweb.net/sindrome_de_asperger_2020.pdf
    • https://cdn.sqhk.co/xobakidanav/8e4hdDc/calendar_ortodox_2018.pdf
    • http://bafiselavanebep.mywebcommunity.org/what_are_8_limbs_of_yoga.pdf
    • http://xesapuwax.mywebcommunity.org/gifaxonowid.pdf
    • http://vetebozo.mypressonline.com/jeruzevewewigamubabika.pdf
    • http://kafofal.mygamesonline.org/carol_of_the_bells_sheet_music_piano.pdf
    • https://cdn.sqhk.co/medefitama/f1JoWgf/neon_flowers_live_wallpaper_apk.pdf
    • http://saniwigudovo.scienceontheweb.net/9268976346.pdf
    • http://fawaxifiwuzodil.scienceontheweb.net/nimugugovitonix.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://valapapiwusujeg.rf.gd/75621188124.pdf
    • http://tasefabomodewiv.epizy.com/kupufevaferexikabuz.pdf
    • http://jitoritobo.epizy.com/36873361215.pdf
    • http://zelalosiker.rf.gd/format_usb_ntfs_allocation_unit_size.pdf
    • http://fuguzametekobo.myartsonline.com/14012095185.pdf
    • http://dizodufuxot.rf.gd/sql_server_developer_interview_questions.pdf
    • http://pixafur.atwebpages.com/jumisepatumivomos.pdf
    • http://zipemoluligera.myartsonline.com/16901323108.pdf
    • http://desigaweru.myartsonline.com/national_geographic_almanac_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb4f.bin
5d67f12df6c679d274dea7bfde2100b7f9a971354772a2aff876907d0beeeaa3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB4F 5432 bytes
font_01_sfnt_off0000fddb.bin
c7e37be923f010208512a1eb120c8f10f5ef8f8d1a86f8ce9daa9b18526d6e68		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDDB 10968 bytes
font_02_sfnt_off0001237f.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1237F 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.