Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7df51d3498e1beb…

MALICIOUS

PDF

75.8 KB Created: 2021-03-19 22:50:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7816abf57bd65491c857d87172aaf7a6 SHA-1: 9fa0d6981ef27b72c9fbc644b3c6370fd9965ec3 SHA-256: e7df51d3498e1beb9c5e2e0ce26fdec350b9446e18e641a554bb17a9619cc186
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URL that directs users to a suspicious domain, likely for credential harvesting or malware distribution. The presence of this URL suggests an attempt to trick the user into visiting a malicious site, consistent with a phishing attack delivered as an attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=el+mesias+ricardo+arjona+letra
    • https://cdn.sqhk.co/besudamuge/bpeidJJ/hitman_go_definitive_edition_ps4_review.pdf
    • http://madoxorijegobe.sportsontheweb.net/sagusuma.pdf
    • http://sizuxofutitarax.mypressonline.com/cancer_stem_cells_book.pdf
    • https://cdn.sqhk.co/vebapejun/gigiMOb/wemakedod.pdf
    • http://nonly.xyz/tokuvalawebupekexotu3bb.pdf
    • https://lufukosiresefo.weebly.com/uploads/1/3/4/7/134707539/7817921.pdf
    • https://mavitebe.weebly.com/uploads/1/3/1/1/131163983/durin-kibuxi-posaruredex.pdf
    • http://dommasters.site/perspectiva_conica_con_dos_puntos_de0l5y3.pdf
    • https://cdn.sqhk.co/nejijilo/WjaZCjd/zovuroxepi.pdf
    • https://bugagage.weebly.com/uploads/1/3/5/3/135330359/1932630.pdf
    • https://cdn.sqhk.co/josozudibud/0Hgfmji/20889830078.pdf
    • http://nesobaka9.xyz/drum_machine_patterns_booko7ofx.pdf
    • https://cdn.sqhk.co/dubikureta/apAifjd/supercars_new_2020_calendar.pdf
    • http://tehnikator.ru/how_to_tone_up_legs_in_2_weeksqneic.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/podawakumepewez/puzzle_games_free_for_windows_10.pdf
    • https://s3.amazonaws.com/wifukedot/how_long_is_the_waiting_list_for_section_8_in_san_diego.pdf
    • https://s3.amazonaws.com/zuvovoxigumuz/87441909188.pdf
    • https://569e8712-2873-4b93-a654-ea71b6b809e3.filesusr.com/ugd/345929_0f28587f1e1c42eaafcd4935d0435ca0.pdf?index=true
    • http://kepofif.onlinewebshop.net/55514152478.pdf
    • https://s3.amazonaws.com/sazomo/54311737119.pdf
    • https://d190c387-1498-4382-a59e-98d1a0a9794c.filesusr.com/ugd/a91264_1ad572c8e420459b9c7cd265ed4d5323.pdf?index=true
    • https://s3.amazonaws.com/metubevozisul/zewogodixerikuretixabida.pdf
    • https://db22a0a0-c6c8-4eb9-9878-037c50d93224.filesusr.com/ugd/e2b5b3_d1e9df43aaf84abab15ac6e4fc71ebc5.pdf?index=true
    • https://00407fa8-a9ef-4b78-9bbe-46147fc8acf6.filesusr.com/ugd/5ecadc_f392d3f485c945bc9b5d60e44e30582c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eac8.bin
7f50ef4dc1fa57271fe518ac6e3d73d67a5e198dbcaba2ead1e8a60dfaa810fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAC8 5120 bytes
font_01_sfnt_off0000fc16.bin
9ad2d4ac83f256c1078c5cfc7a56c62d85974a9f88f49dc2b70da1053bfe98ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC16 11052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.