Malicious PDF — malware analysis report

Static analysis result for SHA-256 deccd3b450f9232b…

MALICIOUS

PDF

82.0 KB Created: 2021-03-11 01:23:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 213838446ded0d900d022a5228b9b370 SHA-1: 77419155b03739ba74623df7eeb378ed1e10cb1f SHA-256: deccd3b450f9232ba7fe567f6c192859dc663b56a605cebe45583437aa445901
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, with a high risk score. It contains an embedded URL pointing to a suspicious domain, likely intended to host a phishing or malware payload. The document body, though heavily obfuscated, contains text related to 'Guide to visit hanoi', suggesting a lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/123?utm_term=guide+to+visit+hanoi
    • https://cdn.sqhk.co/budatumibowu/djije3A/how_to_go_to_orc_dungeon_ragnarok_classic.pdf
    • https://cdn.sqhk.co/dutebevon/gJjj8ha/75645625530.pdf
    • http://zonerokemub.getenjoyment.net/63390157990.pdf
    • http://wotukujis.sportsontheweb.net/how_to_use_breadboard.pdf
    • http://hookup153.online/23569283311uwtzl.pdf
    • http://ravovenovibu.medianewsonline.com/what_are_the_36_questions_that_lead_to_love_again.pdf
    • http://immortal-sho.club/nuclear_bomb_history_factsjwff8.pdf
    • http://retys.fun/80s_love_songs_karaoke2jlk9.pdf
    • https://cdn.sqhk.co/fukonovum/ggCFhjl/77951945916.pdf
    • http://clebohets.xyz/english_bible_verses_app_free_downloadeb34h.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/94a96422-5853-40bd-ac06-088c18cb769b/tracfone_lg_k31_rebel_4g_lte.pdf
    • https://uploads.strikinglycdn.com/files/01f9f184-408c-453c-93ac-c8936b427ff6/how_to_pair_rca_universal_remote_to_sony_tv.pdf
    • https://uploads.strikinglycdn.com/files/952fe124-7f5b-4799-86c8-3cdbdc924aef/67901725412.pdf
    • https://uploads.strikinglycdn.com/files/a429fb7c-6b9a-4f4b-a88d-4ff691688df7/fefimisavebul.pdf
    • https://s3.amazonaws.com/toliwudalamem/99934942813.pdf
    • https://s3.amazonaws.com/jukoxisojow/cuda_how_to_use_tensor_cores.pdf
    • https://uploads.strikinglycdn.com/files/0d5e019c-b973-4ad3-84b0-598dd77c0342/47245031788.pdf
    • https://s3.amazonaws.com/wizitifowubux/axtone_acapellas_vol_4.pdf
    • https://uploads.strikinglycdn.com/files/03fd3ec9-4574-4dc1-bd72-b66b410f245b/yamaha_aventage_rx-a830_manual.pdf
    • http://lexamokoxerum.atwebpages.com/air_force_1_sage_low_white_and_black.pdf
    • https://s3.amazonaws.com/sinadi/camera_capture_formats_iphone.pdf
    • https://uploads.strikinglycdn.com/files/68e34f94-669e-48fa-be0f-91a2ebe469de/dajuwupazemafekaz.pdf
    • https://uploads.strikinglycdn.com/files/c4278740-fc44-4273-8485-5cbce155b7de/blue_dye_test_faint_positive.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000105fa.bin
93741b230f438d20e5f7bea65cabe06ab74d7f5b0facb42919c61eb4655c2e0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105FA 4876 bytes
font_01_sfnt_off00011696.bin
95208d2b9cb0096947d21fe9b6989897dcdcc11a30bdff1419e506a657832df1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11696 10884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.