Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4b463eef0146958…

MALICIOUS

PDF

73.2 KB Created: 2021-03-18 05:24:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f6910ac665f925892ee4015b42eba0d9 SHA-1: 7803a0b6db3652859c614e7800b64c6b128f3d17 SHA-256: e4b463eef0146958235485ec0cc2b74a043eef40a9615d27b4194d78a7f658b5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with a high risk score. It contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or social engineering lure. The document body, though heavily obfuscated, appears to be a deceptive search result page, further supporting a phishing attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=vietnamese+girl+names+that+start+with+l
    • https://cdn-cms.f-static.net/uploads/4456121/normal_601ec39773d51.pdf
    • http://imedo.ru/percy_jackson_and_the_lightning_thief_chapter_1b7ini.pdf
    • https://fenogelojana.weebly.com/uploads/1/3/4/9/134904444/xidisol_lapigunaxizoge.pdf
    • http://palitra-cveta.ru/fidelis_essential_plan_income_guidel6o8xh.pdf
    • https://gomafaned.weebly.com/uploads/1/3/5/2/135296522/17713b8.pdf
    • https://nusisudarebo.weebly.com/uploads/1/3/4/3/134349377/9a2b59ac.pdf
    • http://otomail.business/woredarejiritiloneluwezwtsi6.pdf
    • http://jnatural.space/hannah_arendtex7d4.pdf
    • https://cdn-cms.f-static.net/uploads/4408481/normal_6034d815d4213.pdf
    • https://deponoma.weebly.com/uploads/1/3/2/6/132696267/4ed723d.pdf
    • http://cooldomen.space/9831981980a9x6i.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/jubiferekaka/90839633330.pdf
    • https://s3.amazonaws.com/limepusotanal/fiddler_on_the_roof_tradition_broadway.pdf
    • https://s3.amazonaws.com/xapidajovaji/niridovurugeme.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0be.bin
827df096567399f697adbc6e22cf801555f3e6586cef40a3afd006b02124b7d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0BE 5156 bytes
font_01_sfnt_off0000f22d.bin
9e1f266ca479eb51f08c6daa43b0251543dea9f43104083d2bd1e712a7398a18		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF22D 10516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.