Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5dbfe0477b42bf7…

MALICIOUS

PDF

76.7 KB Created: 2021-03-10 09:48:14 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b7db2ad38f22ebb934143e2228afc249 SHA-1: 5546acc8eca99ed76ff8ca4b4f407d40ccce03ad SHA-256: e5dbfe0477b42bf73a130a654baa2b74eec6e1eee3a95d7eabd4e5612a750047
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that, when clicked, leads to a domain associated with phishing. The document body, though heavily obfuscated, appears to be a lure related to a product. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/aws?utm_term=ridgid+10+inch+sliding+compound+miter+saw
    • https://static.s123-cdn-static.com/uploads/4404297/normal_5fdc9b0409646.pdf
    • https://cdn-cms.f-static.net/uploads/4486523/normal_602c79b872b31.pdf
    • https://cdn-cms.f-static.net/uploads/4471945/normal_603a2cc7e221f.pdf
    • https://static.s123-cdn-static.com/uploads/4497110/normal_5fcbf76e2a065.pdf
    • https://static.s123-cdn-static.com/uploads/4390074/normal_5feb5d54aaa4d.pdf
    • https://cdn-cms.f-static.net/uploads/4453740/normal_602f7734275c1.pdf
    • https://static.s123-cdn-static.com/uploads/4449973/normal_5ff8fd73d2b18.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://11627308-8c8f-4f08-99ed-0ad85160907d.filesusr.com/ugd/682d1c_df9f661a83b74157816d2d5f711596ac.pdf?index=true
    • http://fipimut.epizy.com/79840286754.pdf
    • https://30383b9b-b26a-44f4-9a26-03873af8f03c.filesusr.com/ugd/fdee49_454edb7ff1244f49b54eb35a61ef0669.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5fe9b370-ae7d-46e4-b361-744252687416/windows_server_2012_r2_cumulative_update_list.pdf
    • http://nanoxamovafosox.epizy.com/gofafexenekumogediw.pdf
    • https://uploads.strikinglycdn.com/files/75935dad-1014-4126-a4d4-133dcb874933/free_worksheets_on_idioms_for_3rd_grade.pdf
    • http://lojosikol.epizy.com/junivibufiwoselir.pdf
    • https://09d56968-2ae9-412d-ad86-e67dc63a1c23.filesusr.com/ugd/e8b91f_4be02136c8784268b6f27f9bf2eb26ad.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e302450a-c9aa-4cfa-93d4-ffcef3e822dc/the_riveras_show_online_free.pdf
    • http://nadedeve.rf.gd/b._sc_nursing_online_application_form_2019.pdf
    • https://b6c9d0de-81a1-4db9-ab7d-8a95af9e63d6.filesusr.com/ugd/b28ae2_c129d5de657f4a4ab29768109d733e2a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ade546f4-9d32-4fb0-b14e-75632b10322c/what_is_the_effect_of_germination_on_the_rate_of_cellular_respiration_in_peas.pdf
    • https://uploads.strikinglycdn.com/files/cd4e1a7b-d48f-4cb2-841f-5fad2d130ef2/7855408353.pdf
    • https://1482387f-61d8-47e1-b538-9b7f1e8b89fb.filesusr.com/ugd/538d67_9911866e9f984886b19261c8aebd1cc7.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edde.bin
acf6ffdf0dbe772ae89f4cf7cd7e8f1641feafc390a49975ce6e69be21537708		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDDE 5780 bytes
font_01_sfnt_off0001017f.bin
75a233a5b3e1e4670c6680e83936f92d8f8f4a4c6d12c4359e96bffbe6d83b6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1017F 10468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.