Malicious PDF — malware analysis report

Static analysis result for SHA-256 e12511a3b038ea0c…

MALICIOUS

PDF

99.2 KB Created: 2021-03-20 16:04:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 57a6ee0a76ec7b0adf457e4773c1362e SHA-1: 24bc61829d95e2cd4ffcbe8e420a1d023d7a2cfc SHA-256: e12511a3b038ea0c25266272119bd3add2136e57e82efe37c93cd8065fbc115c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URL pointing to a suspicious domain, which is a common tactic for phishing or distributing further malicious content. The PDF structure and embedded content suggest an attempt to exploit user trust.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9937

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/aws?utm_term=why+was+fallen+angels+banned
    • http://mebupevorodo.22web.org/pe_exam_requirements_texas.pdf
    • http://sosogemizibu.mypressonline.com/53664258765.pdf
    • http://bulubuzigajuzar.getenjoyment.net/99173722066.pdf
    • http://vipifud.22web.org/thinking_fast_and_slow_review_indonesia.pdf
    • http://difavusimope.iblogger.org/garden_grove_weather_report.pdf
    • http://bipidupali.22web.org/dedikinajerukoxatojew.pdf
    • http://nifazafagikoxa.medianewsonline.com/82412539832.pdf
    • http://widuvigawolov.22web.org/royal_mail_international_tracking_number.pdf
    • http://suwetobolubujub.getenjoyment.net/periodontitis_definition.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedununa.epizy.com/2016435848.pdf
    • https://49432a94-54bc-4d13-9d12-ea41d731e1b8.filesusr.com/ugd/a7c689_ad2f5f4fde074df7b7ff9423bdd47220.pdf?index=true
    • http://bekelogamaju.rf.gd/33210931491.pdf
    • http://lovafis.rf.gd/63060563447.pdf
    • https://5a995288-ce6f-4ae3-a3e6-14272d8003db.filesusr.com/ugd/7be1cd_9fd3f035b4a14708be572732e189e6ca.pdf?index=true
    • http://wikilupari.epizy.com/jenodekad.pdf
    • https://s3.amazonaws.com/ginutu/lord_of_the_flies_physical_description.pdf
    • https://4f640d82-8365-4c22-93d6-dbd3427c3fb0.filesusr.com/ugd/55e8b7_57c8c928e54040e9812c3ebf7610fac3.pdf?index=true
    • https://s3.amazonaws.com/bokelur/beyblade_v_force_mod_apk.pdf
    • https://s3.amazonaws.com/zidosozawok/6408797216.pdf
    • http://mavipob.epizy.com/14785358631.pdf
    • http://vizawog.epizy.com/movezarokoxedokidijomano.pdf
    • http://nazifaba.rf.gd/contrato_de_apertura_de_crdito.pdf
    • http://vegubom.atwebpages.com/carti_antreprenoriat.pdf
    • http://wesijulevevomo.rf.gd/vukulenuroxomeputumerigu.pdf
    • https://s3.amazonaws.com/rujabepifar/25896955462.pdf
    • https://ff06b2c9-6223-4357-b4d5-1bf3807c749f.filesusr.com/ugd/717131_5c7aeea87a2944e482fa02baf0de24cf.pdf?index=true
    • https://s3.amazonaws.com/baritexovopa/simple_website_design_templates_in_html.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000137da.bin
840e9bcdce47daee577b181329830b2d3ec0ca4853b7e7a4e45881bb3ea3f1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137DA 4968 bytes
font_01_sfnt_off000148c9.bin
ed2f7c9631594979ea0a03f26ac31eee6210e1a733858159b7f6fda0fb007ed5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x148C9 11752 bytes
font_02_sfnt_off000170b4.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x170B4 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.