Malicious PDF — malware analysis report

Static analysis result for SHA-256 e68273c63096c564…

MALICIOUS

PDF

112.4 KB Created: 2021-03-06 19:20:29 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d02308125ad18f444f218717057d5c5f SHA-1: ceca749d99e7f196d656d11249a91f0979aa8e83 SHA-256: e68273c63096c564b7cc619a5a402ebb930619d9533a19d606386434abd16d05
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic indicating an external URI, which points to a suspicious domain. The ML classifier and ClamAV detection strongly suggest malicious intent, likely phishing or malware distribution. The document body, though heavily obfuscated, contains text related to song lyrics, which appears to be a lure to direct the user to the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=dragostea+din+tei+lyrics+video
    • https://cdn-cms.f-static.net/uploads/4380876/normal_601f7ac790993.pdf
    • https://wexisuteki.weebly.com/uploads/1/3/4/6/134616275/gesedamedoj-nidokixifaweza.pdf
    • http://dujojiwasemob.mywebcommunity.org/bijofetibedos.pdf
    • https://cdn-cms.f-static.net/uploads/4371497/normal_60366807e21be.pdf
    • https://static.s123-cdn-static.com/uploads/4417122/normal_5fe5a61ae9c6c.pdf
    • https://zobatovegu.weebly.com/uploads/1/3/0/8/130873738/7be16.pdf
    • https://static.s123-cdn-static.com/uploads/4495059/normal_5fec0f24e7091.pdf
    • https://static.s123-cdn-static.com/uploads/4403406/normal_5fffbf6778d27.pdf
    • https://rapokivagifo.weebly.com/uploads/1/3/4/3/134338569/wixupivepivolo.pdf
    • https://cdn-cms.f-static.net/uploads/4385421/normal_6019976914265.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sabobenuwe/molecular_biology_powerpoint_template.pdf
    • http://zijiwaras.onlinewebshop.net/musazekuxub.pdf
    • https://uploads.strikinglycdn.com/files/843f6750-2077-4a15-aadb-d251ba553fca/43688044294.pdf
    • https://uploads.strikinglycdn.com/files/49c2389d-899e-4bb0-be33-6f03dfc789ff/35140543074.pdf
    • https://s3.amazonaws.com/tirimofufemukat/apex_32_inch_tv_manual.pdf
    • http://sofibimibojas.myartsonline.com/ponufobojanosa.pdf
    • https://uploads.strikinglycdn.com/files/eb8c335c-6f36-4d38-beb3-3bea7a259e2a/what_is_the_meaning_of_enthalpy_changes.pdf
    • http://megigezorozo.atwebpages.com/leresodijitafijutokoxene.pdf
    • https://s3.amazonaws.com/vajefam/4081536618.pdf
    • http://xomutojekes.myartsonline.com/why_doesnt_the_volume_work_on_my_tv_remote.pdf
    • https://s3.amazonaws.com/gateme/archeologia_romana.pdf
    • https://s3.amazonaws.com/tosego/parasimojal.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00017418.bin
9c1b352629b43938ddcef752102b29ee5433205ef1af7f226d25a65bdab6e12c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17418 8544 bytes
font_00_sfnt_off00012dff.bin
355af23eb66758d89154b3fc0cfb65d3d340e80ca0289d426b07e402ee1d39bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DFF 16044 bytes
font_01_sfnt_off00016218.bin
fc6a4c3eecdfeb133b90b8c9d533ab360eded2bf8a04e51c0a20732020367644		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16218 5268 bytes
font_03_sfnt_off00018bf3.bin
c0348975ea2df71cbf54af7268cf128b94d5df76cd69569c804bb7c86a44a7b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18BF3 12228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.