Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6a90bea49885371…

MALICIOUS

PDF

68.3 KB Created: 2021-03-28 00:49:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4a3c20ab0b5beec6793e83c682d0da4b SHA-1: 2e54871561955721e0c92089ce6e0e6ffab2609f SHA-256: e6a90bea49885371bce583d7f6f7b62b3982f42358a35b312aafb9c2b8dc875a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL, identified by the heuristic PDF_URI. The ML classifier and ClamAV detection strongly indicate maliciousness, specifically phishing. The document body, though heavily obfuscated, suggests a lure related to 'lab answers', likely to trick users into clicking the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=properties+of+ionic+compounds+lab+answers
    • http://pufopiguzelefe.22web.org/android_file_from_url_tutorial.pdf
    • http://femirokiko.iblogger.org/87341453853.pdf
    • https://cdn-cms.f-static.net/uploads/4495241/normal_5fd6f43b3b01e.pdf
    • https://cdn-cms.f-static.net/uploads/4500877/normal_603e189b60f49.pdf
    • https://static.s123-cdn-static.com/uploads/4489717/normal_60078e09e744a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://jodetiwozefiso.epizy.com/ximobiferufutulabawa.pdf
    • https://uploads.strikinglycdn.com/files/d5f5245e-8838-40f4-b036-c4dca06984c1/goluzaxad.pdf
    • http://mirimanomuropa.rf.gd/the_story_of_ruby_bridges_discussion_questions.pdf
    • http://xuvunemomot.epizy.com/57678425059.pdf
    • http://xeribelemuxi.rf.gd/buliboxaw.pdf
    • http://gogibesu.rf.gd/59900919856.pdf
    • https://uploads.strikinglycdn.com/files/b8622801-fdee-4a27-b2f9-65447def777c/usb_keyboard_wire_color_code.pdf
    • http://memokos.epizy.com/9995869847.pdf
    • http://kipixuge.epizy.com/73070173602.pdf
    • https://f538c46d-6aff-4997-95da-320e40b30403.filesusr.com/ugd/262ba4_97eefb42b47d4c82925e5ec5407f757a.pdf?index=true
    • https://d5bea983-5bca-41ba-aae6-6b688785cc77.filesusr.com/ugd/9ec29b_34efa1669e294ad9a8aefff6d6de2b7b.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb9d.bin
9f63fb0b89eb55af35da94a3b4a455a51e002a307f83dd027eec6540d08e0264		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB9D 5532 bytes
font_01_sfnt_off0000de63.bin
275db97799aa51d9eaad0399fdcc10a725676e6324fc6c97e650edabcbeec8e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE63 11224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.