Malicious PDF — malware analysis report

Static analysis result for SHA-256 e52bf0bbd04cf1fa…

MALICIOUS

PDF

89.0 KB Created: 2021-03-24 05:50:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2831f758d758f9b504aca4de584a5fd5 SHA-1: 1dabf9b089332adae2f041ecb9d071e8f2d1699d SHA-256: e52bf0bbd04cf1fa61b2d4b1bfd385b88edb9d3fdb03fd50c6d1768cf82ca906
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a URL that, when clicked, leads to a malicious domain. The document body, though heavily obfuscated, appears to be a lure related to a common household problem, likely to trick the user into clicking the malicious link. ClamAV and ML classifiers strongly indicate maliciousness, and the presence of an external URI points to a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=why+would+my+washing+machine+leak+from+the+bottom
    • https://cdn-cms.f-static.net/uploads/4381759/normal_6035c248cc04d.pdf
    • http://bionatur.space/soxapinajapexiuiq77.pdf
    • https://static.s123-cdn-static.com/uploads/4449183/normal_5ffeb6e017e18.pdf
    • https://static.s123-cdn-static.com/uploads/4385014/normal_5ff3542ec50ab.pdf
    • https://static.s123-cdn-static.com/uploads/4463812/normal_6007d76432981.pdf
    • https://static.s123-cdn-static.com/uploads/4445888/normal_5fe00c5ccad58.pdf
    • https://static.s123-cdn-static.com/uploads/4447108/normal_5fdf92bb7b095.pdf
    • https://static.s123-cdn-static.com/uploads/4454299/normal_5fc61045324fc.pdf
    • http://antonioita.fun/how_to_use_panasonic_microwave_nn-gt221wx2ecg.pdf
    • https://static.s123-cdn-static.com/uploads/4383806/normal_5ff881e3c993a.pdf
    • http://zezarujewida.iblogger.org/cannabidiol_parkinson.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://1cd0d4d5-11d4-440c-a307-81f73801f601.filesusr.com/ugd/f0e51d_095125333c4f4cac81c2deec89f331cd.pdf?index=true
    • https://48cc712b-de5e-493e-a198-f8962849e22b.filesusr.com/ugd/d2751c_ee363926381c4349a058f72834eaf00d.pdf?index=true
    • http://mugekalamiwatek.epizy.com/figukon.pdf
    • http://nanugubodiw.epizy.com/chiedere_scusa_formalmente_in_inglese.pdf
    • https://a0f1d9c0-ea46-4e0e-9383-d87711d3127f.filesusr.com/ugd/1e3fb7_744dd0ab5b094f028630c55ba70c794a.pdf?index=true
    • https://b70645e9-42d7-44c6-80f2-f165c8819e8d.filesusr.com/ugd/3f1130_310b72de69544d2cbc362f999dbe7fc4.pdf?index=true
    • https://fed4949e-3809-4fc0-a28b-84c5d390f589.filesusr.com/ugd/94482e_4ce97d1be7294aa5b82db5490e304e84.pdf?index=true
    • https://da9d63b4-fbfd-4f6f-88e7-06ac0d76355b.filesusr.com/ugd/ca300b_abcbf90f48a94e96bb4f19dffaabf0ca.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010816.bin
a72d6cda16e8a0a7172f5780a4548c88ec4ce7877e6aa21e66c27dc7f3a93f16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10816 5848 bytes
font_01_sfnt_off00011bf8.bin
2d1b4ddde566da50611261892fb570bcd0ed8a3ed666b89c85ff6814aed87bc3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BF8 10884 bytes
font_02_sfnt_off00014123.bin
333c6b7950143ef5b768b9d621755905cb9f9f437be433e332b6baa8edb2b5fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14123 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.