Malicious PDF — malware analysis report

Static analysis result for SHA-256 e65ac742f8b8a907…

MALICIOUS

PDF

220.0 KB Created: 2021-06-07 18:30:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a912c82ea4254bd78595cc6912ad7495 SHA-1: 6204c67764436fe7a70f62b3cc65ef169e7c41e1 SHA-256: e65ac742f8b8a9071838356ea29a9fa5c4c6febdc4b5e90e9ab5607fbed285cd
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded URLs, with one prominently featuring a download-related query. The presence of a 'download button' heuristic and ClamAV detection as 'Pdf.Phishing.Trojan' strongly suggests a phishing or malware distribution attempt. The document's structure and embedded links indicate it's designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9689

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/pbw?utm_term=download+bhagwat+geeta+in+english+pdf
    • https://tunupufimudodo.weebly.com/uploads/1/3/4/3/134324073/93e1cf15c1855.pdf
    • https://tilifezazam.weebly.com/uploads/1/3/4/7/134763305/d5f3c.pdf
    • https://robivitoj.weebly.com/uploads/1/3/4/3/134334713/poxadatov_suzixa.pdf
    • https://gitikatul.weebly.com/uploads/1/3/4/7/134749175/banujilopivo-vilulupemeni-narodavizi-naxodosujagozu.pdf
    • https://lukumupanulafaz.weebly.com/uploads/1/3/4/6/134683212/9109804.pdf
    • https://cdn-cms.f-static.net/uploads/4450624/normal_603659602b8b8.pdf
    • https://gudivolopuna.weebly.com/uploads/1/3/5/3/135346868/sinet-tewifubevunuwew-kigilugis-bexirir.pdf
    • https://cdn-cms.f-static.net/uploads/4495254/normal_5fd6b05fd301a.pdf
    • https://golujubomo.weebly.com/uploads/1/3/4/0/134017735/1821495.pdf
    • https://static.s123-cdn-static.com/uploads/4426279/normal_5fcb7ae595acf.pdf
    • https://cdn-cms.f-static.net/uploads/4370547/normal_5fe64cb2ca4a5.pdf
    • https://cdn-cms.f-static.net/uploads/4446264/normal_6014a0d78eec9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://vimadutukad.pbworks.com/f/buzuwivevoroz.pdf
    • http://kufujibumufa.pbworks.com/f/what_time_does_chase_bank_close_on_saturdays.pdf
    • https://uploads.strikinglycdn.com/files/8c4270dc-a90b-48f5-9b7b-d777e9a609a1/wedav.pdf
    • http://podimil.pbworks.com/w/file/fetch/144567579/48370690149.pdf
    • http://zajozote.pbworks.com/w/file/fetch/144571236/fifa_14_free_download_apkdata.pdf
    • http://pajinap.pbworks.com/w/file/fetch/144497049/do_you_check_manual_transmission_fluid_hot_or_cold.pdf
    • https://uploads.strikinglycdn.com/files/dc8d669f-4f78-4541-af18-ff3351b4700a/lorufapifogisikasixugofin.pdf
    • http://luwivaj.pbworks.com/w/file/fetch/144517653/how_do_you_change_the_governor_on_a_tecumseh_engine.pdf
    • http://febamizilaw.pbworks.com/f/jomujipilunabe.pdf
    • https://uploads.strikinglycdn.com/files/b945b79d-1d54-4815-b57b-89c0d16d0b49/fuwuxijazegufa.pdf
    • http://finatin.pbworks.com/f/how_to_do_a_force_reset_on_iphone_6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002fa6c.bin
771c53ebdf577b528d5a2f2c93d068f268b9ce96fa0fb56e6977ee2cfd63ff98		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FA6C 5440 bytes
font_01_sfnt_off00030cfc.bin
814992be763021c11dca23fed22b8bb7a0f9688c8b5af2f3d58b36f318d7b63c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30CFC 3740 bytes
font_02_sfnt_off00031876.bin
6a73628231a355a6edc1a046c3540e8b71f1d02630c54114e3b0e6ef156cf08a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31876 16112 bytes
font_03_sfnt_off000347c9.bin
4d93e0fafa3b5f903df1a3915b01a84527779906449deece76e4bbfdc8b77522		 pdf-font-stream PDF embedded font (sfnt) at offset 0x347C9 6672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.