Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0b567856c7c9ecd…

MALICIOUS

PDF

87.2 KB Created: 2021-06-01 11:23:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3e8c5182d84297961e7eede30348433 SHA-1: f9df421e6f9db0d92de5762790fc4f92dce30b20 SHA-256: e0b567856c7c9ecdc29a68cecc119b6c90651bbe0809866461a87a7cc7ea5c93
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as 'Pdf.Phishing.Trojan' and an ML classifier indicated a high probability of maliciousness. The document body contains obfuscated text and a prominent URL, 'https://crewmak.ru/pbw?utm_term=the+secrets+of+underground+medicine+pdf+download', which is likely used to deliver a malicious payload or redirect the user to a phishing site. No scripts were extracted, but the PDF structure and embedded URI heuristic suggest a phishing or social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/pbw?utm_term=the+secrets+of+underground+medicine+pdf+download
    • https://cdn-cms.f-static.net/uploads/4472768/normal_6054141c54824.pdf
    • https://cdn-cms.f-static.net/uploads/4471692/normal_602c66e3a6b5f.pdf
    • https://cdn-cms.f-static.net/uploads/4445731/normal_6023e5ffa03ca.pdf
    • https://cdn-cms.f-static.net/uploads/4484356/normal_6042c8be0ad9c.pdf
    • https://static.s123-cdn-static-d.com/uploads/4374364/normal_60b20c29a4e5a.pdf
    • https://static.s123-cdn-static.com/uploads/4387218/normal_6003ff190c4d7.pdf
    • https://cdn-cms.f-static.net/uploads/4478685/normal_6035317fbdc5c.pdf
    • https://static.s123-cdn-static.com/uploads/4365552/normal_5fcf89f603516.pdf
    • https://cdn-cms.f-static.net/uploads/4366347/normal_60108692316f7.pdf
    • https://cdn-cms.f-static.net/uploads/4470029/normal_604148948f130.pdf
    • https://static.s123-cdn-static.com/uploads/4425255/normal_5ff9af6713d0b.pdf
    • https://cdn-cms.f-static.net/uploads/4385010/normal_604ca36056a38.pdf
    • https://cdn-cms.f-static.net/uploads/4462352/normal_601212a9364c5.pdf
    • https://cdn-cms.f-static.net/uploads/4425237/normal_60338907c527c.pdf
    • https://cdn-cms.f-static.net/uploads/4419640/normal_605d7576a4077.pdf
    • https://cdn-cms.f-static.net/uploads/4415518/normal_5fd1fca1b566f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://lakebimutep.pbworks.com/w/file/fetch/144416736/phantomjs_html_to_command_line.pdf
    • http://viluxese.pbworks.com/w/file/fetch/144428847/charlie_y_la_fabrica_de_chocolate_libro_alfaguara_juvenil.pdf
    • http://tusawijer.pbworks.com/w/file/fetch/144450012/super_mario_maker_apk_obb.pdf
    • http://gatasulupu.pbworks.com/w/file/fetch/144421854/xaxabeluwa.pdf
    • http://fodorafirig.pbworks.com/w/file/fetch/144435123/derecho_internacional_pblico_libro_monroy_cabra.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb8b.bin
271770e724334166f2d76e163cf618608ca178ea025f3d3b4d70c3fbb305d594		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB8B 3028 bytes
font_01_sfnt_off0000f65f.bin
04d8df1761411158e732407369b70f95a20d0e3ae75085ffd969b3f38364f6b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF65F 5492 bytes
font_02_sfnt_off000108ed.bin
9cb4cc527153d9ca9f39ae197f899124ed08baa1ec7750f058c6f8df9ee88d2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108ED 11328 bytes
font_03_sfnt_off00012fa0.bin
0f84ff189e668a26a8a81aee7fceedcb68b519ae01094968dad25d169e66c605		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FA0 16556 bytes
font_04_sfnt_off0001461d.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1461D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.