Malicious PDF — malware analysis report

Static analysis result for SHA-256 e311f54917c2acef…

MALICIOUS

PDF

89.7 KB Created: 2021-03-21 07:58:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf32d8aa671d45aa949cd337a94deaf4 SHA-1: d3b8d53bd4a1c3e1f6c9c5ae80deb37621455d28 SHA-256: e311f54917c2acef84e4ac737e80db98e7b61383bfc01c06982032dde726a45e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL, identified as a phishing lure related to 'angular formbuilder disabled field'. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the presence of embedded URLs and the document's structure suggest it is designed to redirect users to malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9926

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/123?utm_term=angular+formbuilder+disabled+field
    • https://cdn-cms.f-static.net/uploads/4427523/normal_6043f1f166f97.pdf
    • http://semazolowogafoj.22web.org/kukodutip.pdf
    • http://vuvulusigi.scienceontheweb.net/dimotipurunaxudubudubajo.pdf
    • http://terakusinuw.mypressonline.com/wivutazafapetujeko.pdf
    • https://cdn.sqhk.co/xagaxubibiz/5hjhDja/68951700753.pdf
    • https://cdn-cms.f-static.net/uploads/4413019/normal_600f0243378d9.pdf
    • https://static.s123-cdn-static.com/uploads/4380674/normal_60038ab1c9aaa.pdf
    • https://cdn.sqhk.co/gederanew/PjbjiJb/terimivapesujak.pdf
    • https://cdn.sqhk.co/peluxisomex/ljhkRsl/idol_beauty_shop.pdf
    • https://cdn.sqhk.co/mujawiru/wAic6ji/narcos_cartel_wars_mod_apk.pdf
    • http://lebepufu.mypressonline.com/kevexoborikadan.pdf
    • http://kaxiwemusemoj.mypressonline.com/fraction_bars_worksheets_3rd_grade.pdf
    • https://cdn.sqhk.co/xokebuzizo/jjShaf0/hackers_falls_swimming.pdf
    • http://lodujenoxo.iblogger.org/wafogerasasetite.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://05790d5e-93e9-4545-bcc4-99c37f081c18.filesusr.com/ugd/bff4d5_6da6bae91d1948a7b59012bfada3421b.pdf?index=true
    • https://451cdc1f-766e-44a1-8a9d-f9db2ecad5ed.filesusr.com/ugd/0f0d48_fe95308c49d544a1b3b43417c7160b94.pdf?index=true
    • http://morukigivarili.rf.gd/girl_with_the_dragon_tattoo_book.pdf
    • https://8dac4d01-2cd1-45d2-8b5f-6005f802adc9.filesusr.com/ugd/1f96ce_0c3174f12c1a473caa3dc5563b490524.pdf?index=true
    • http://nokatebikexu.epizy.com/sokebor.pdf
    • https://c480cc3d-c044-45b7-a7fa-747782367dcd.filesusr.com/ugd/a26f59_7c6e0d5496fa4d52bbba77268729b690.pdf?index=true
    • http://nejesezape.myartsonline.com/gevotomowav.pdf
    • https://2daccc73-8708-4113-a26a-4f38906335d9.filesusr.com/ugd/f65175_3c69be217c0f446b81f525b9464c5b88.pdf?index=true
    • http://vuwizovoxix.rf.gd/sotagado.pdf
    • https://ca39a19f-16f9-469f-ab0b-65ec0463b8d0.filesusr.com/ugd/cc9b97_1c9e2a7fb3c0463590c07a19246306e1.pdf?index=true
    • https://4c8e72c6-e2e3-4108-adc6-102de481692d.filesusr.com/ugd/f4b4ca_0652eeb0b11648ba8a3e7fd990f0312c.pdf?index=true
    • https://30372bae-fb3d-4285-bee0-d91e70c22047.filesusr.com/ugd/835091_2ea3104ddb144bd4ba7349b91f84ce38.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc66.bin
fac19683bd85ccd8aad4ca123298a704516b99619ea47de0d93ff1665cf13174		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC66 5356 bytes
font_01_sfnt_off00010e7f.bin
82f2f513f1609d88471d7e2805e55c29bb7c0a3e474cf3bb86a7a6eec27b620e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E7F 2108 bytes
font_02_sfnt_off00011826.bin
e25ad0159c960f2a387d8a92cf5e4e45e1207544a53ed14cf84ee7842491b233		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11826 11428 bytes
font_03_sfnt_off00013f7f.bin
4b5c7613666b158bb9c1cbc28f0d3af4d3fe2526b699abea9ef56a4c5171584f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F7F 16840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.