Malicious PDF — malware analysis report

Static analysis result for SHA-256 deb2b3b86f1f6c00…

MALICIOUS

PDF

161.1 KB Created: 2021-04-14 12:14:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: ce7bd034b41f51621230957ebe5ff3e2 SHA-1: 956e033d7f9780f27ccf75be2565fb4335509e17 SHA-256: deb2b3b86f1f6c00c4bc169fdb7bcc408c8ef9593fe21bf208f70b2b14038184
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with a high risk score. It contains an embedded URI pointing to 'fokemale.ru', which is likely a phishing or malware distribution domain. The document body, though heavily obfuscated, suggests a lure related to a 'Nespresso aeroccino owners manual', indicating a social engineering pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9935

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/strik?utm_term=nespresso+aeroccino+owners+manual PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4456376/normal_606a58387f204.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495997/normal_5fe170de663b6.pdfIn PDF document text
    • https://daxodewime.weebly.com/uploads/1/3/1/3/131398188/191899.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4374022/normal_5ff31b756844b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4426263/normal_6032c27e23c69.pdfIn PDF document text
    • https://vuloribogisoso.weebly.com/uploads/1/3/4/6/134655424/vakimubarepanen.pdfIn PDF document text
    • https://lafefetakizin.weebly.com/uploads/1/3/2/7/132712235/eb0de99c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4452839/normal_5fe554031f795.pdfIn PDF document text
    • https://somokowu.weebly.com/uploads/1/3/1/3/131383604/7f658ab3d67.pdfIn PDF document text
    • https://fedonofawok.weebly.com/uploads/1/3/4/8/134881994/830350.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jebokizez/xupad.pdfIn PDF document text
    • https://s3.amazonaws.com/remavuj/what_are_financial_models_in_business.pdfIn PDF document text
    • https://s3.amazonaws.com/dobesogum/xulekobegevapoxediki.pdfIn PDF document text
    • https://s3.amazonaws.com/puretulenuza/levurixarumuzifivuxela.pdfIn PDF document text
    • https://s3.amazonaws.com/geraromu/badojulavoxiluridozejo.pdfIn PDF document text
    • https://s3.amazonaws.com/pisedij/1980_johnson_25_hp_outboard_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/legenapi/69495552808.pdfIn PDF document text
    • https://s3.amazonaws.com/zibenoroduzuw/what_does_capitalist_economy_mean.pdfIn PDF document text
    • https://s3.amazonaws.com/miledu/math_grade_1_subtraction_worksheets.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/24dc374c-9446-454c-9725-e13d40bd6d8d/why_did_britain_start_an_empire.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a25584be-9330-4d11-bef9-de019cd9969e/filewulexape.pdfIn PDF document text
    • https://s3.amazonaws.com/xukanomarexumu/82506341363.pdfIn PDF document text
    • https://s3.amazonaws.com/fulazelof/35964004953.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/69f184c3-964f-424c-bfa7-170cb6bb499a/how_to_set_time_on_armitron.pdfIn PDF document text
    • https://s3.amazonaws.com/meludav/ganedodaruzorutabozawig.pdfIn PDF document text
    • https://s3.amazonaws.com/rozebofukixus/bengali_full_movie_website.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00023de7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23DE7 31380 bytes
SHA-256: 729b47f70fd23d1a20ea89516bce999ff2b1668d1215ae596f9518f2eddf6f17
font_00_sfnt_off0001df7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1DF7E 5140 bytes
SHA-256: fc0132e8f97b05f8140384d8b517580dadae79de4771500c000ce0d7668c3e71
font_01_sfnt_off0001f0fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F0FA 32012 bytes
SHA-256: 6befb8c087f0d4eeb5a347fb44b428230e3b47e9a5659ade985e841fc4bdd783

Open this report in the interactive analyzer, or submit your own file for analysis.