Malicious PDF — malware analysis report

Static analysis result for SHA-256 deffa9bb91d44495…

MALICIOUS

PDF

1.49 MB Created: 2021-03-27 15:55:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-30
MD5: dd861bbb82fd11c77e3da2d0964bf291 SHA-1: 0fa0fd66174547767547f2c5b7d629e09bb83f9f SHA-256: deffa9bb91d444956ddbba8ce546feb49955e215405445e96dc9b1cd2221572f
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains embedded URLs, one of which is flagged as suspicious. The heuristic 'SE_INVOICE_LURE' indicates that the document's content is designed to resemble an invoice or payment request, encouraging the user to interact with the embedded link. ClamAV also detected this file as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier clean score 0.0084

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=thomas+aquinas+catena+aurea+luke PDF link annotation
    • https://jupavovol.weebly.com/uploads/1/3/4/3/134314217/ffc3f98799c2e.pdfIn PDF document text
    • http://vugijow.iblogger.org/converting_cm_to_mm_worksheet_year_3.pdfIn PDF document text
    • http://fodiwelamar.22web.org/sigajulodusosowu.pdfIn PDF document text
    • https://koxawikala.weebly.com/uploads/1/3/4/6/134643159/nesel-xagilizoni-wulaxur-xelonuda.pdfIn PDF document text
    • https://kojivijagidisu.weebly.com/uploads/1/3/4/0/134042347/06e0469b55.pdfIn PDF document text
    • https://rebafanivine.weebly.com/uploads/1/3/6/0/136054257/jovibali-jesasuwozesu-koxamezefazit.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://xapemekofutomun.rf.gd/samopobivoposokizegoxekop.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8ffe4fec-572f-4f4f-8fe6-8444933e98fb/geometry_flowchart_proofs_examples.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dd6346bb-9484-48c6-8191-b8248c188ae7/constitucion_de_venezuela_1830_division_territorial.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/57a02b45-efb9-4719-b2f3-d0a40e08e637/why_does_my_sony_sound_bar_keep_cutting_out.pdfIn PDF document text
    • http://vorawaforase.epizy.com/fidelity_magellan_fund_fact_sheet.pdfIn PDF document text
    • http://xapuzafuzokuw.rf.gd/collective_and_abstract_nouns_worksheet.pdfIn PDF document text
    • http://zaxikukovojusux.rf.gd/31815856876.pdfIn PDF document text
    • https://3485775d-af35-4505-8fb4-f6750f575e04.filesusr.com/ugd/42f18e_70ceda3c1e654974a52bbdd1c6054edb.pdf?index=trueIn PDF document text
    • http://vexidolovosope.rf.gd/vepuxaxulet.pdfIn PDF document text
    • http://mosakokomu.epizy.com/black_and_white_fitted_crib_sheets.pdfIn PDF document text
    • http://xokutamewa.rf.gd/examples_of_electronically_stored_information_esi.pdfIn PDF document text
    • https://s3.amazonaws.com/tobojelusiwi/vojevidimajajuxixatuvunof.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8603875-285b-4732-ab42-4f25c17f944c/4064469231.pdfIn PDF document text
    • https://43fe4710-460a-4ad3-90dc-2dd795c51528.filesusr.com/ugd/a32c20_bd47202b43364efcae031d5368237725.pdf?index=trueIn PDF document text
    • https://e114ad41-1367-46fe-a5fd-427bf640f69d.filesusr.com/ugd/a63c55_d7d5fd2d86c744279c3707fc12a29c7f.pdf?index=trueIn PDF document text
    • https://cf176ec6-4820-456b-adf9-61e5f06c968f.filesusr.com/ugd/43d598_f663998d9131411b832e1c85748b84e6.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/753b1ba3-11fa-4dd2-be29-2dec31f55bd5/how_long_does_it_take_to_get_a_veterinary_assistant_certificate.pdfIn PDF document text
    • https://s3.amazonaws.com/vitelitubovuluj/marathon_florida_fishing_report.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off001775fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1775FE 5176 bytes
SHA-256: 5cb7f671d171f55b812eb28749191054c67bd8bd04f5aeba661debe05b191b11
font_01_sfnt_off00178776.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x178776 11108 bytes
SHA-256: 7f88835b10d65952b4536c968e176e31c3c29d23ab1fc641236a44a44e9d9616

Open this report in the interactive analyzer, or submit your own file for analysis.