Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7ea919fbc0488a1…

MALICIOUS

PDF

86.8 KB Created: 2021-03-15 13:26:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f1da5242b5fd06490c1fdb600d6adbb5 SHA-1: 5c640e6191484314cf9c8c59856f51c419ebe1db SHA-256: e7ea919fbc0488a12983dae030778b7adf6b56b12ee19bf7be4cfeb97f5f87b0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'maypoin.ru', which is a strong indicator of a phishing or malware distribution attempt. The PDF structure itself appears to be intentionally malformed, with duplicate object bodies, further suggesting malicious obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=tangled+pdf+emma+chase
    • http://psychologyrelax.xyz/bekamifigimubunupcpq.pdf
    • http://pazifelurup.medianewsonline.com/44808801988.pdf
    • http://tubujefowabe.medianewsonline.com/zufuzubojitaj.pdf
    • https://cdn.sqhk.co/barugogip/gdStirj/26226475537.pdf
    • http://giwosoto.sportsontheweb.net/gumisupexi.pdf
    • https://cdn.sqhk.co/lofesaxudiwo/RHhmgdv/vusejawozanakabu.pdf
    • https://cdn.sqhk.co/mitejapeki/fhcihhb/world_war_2_museum_nola.pdf
    • https://cdn.sqhk.co/pategazikiw/fQWeBhd/writing_a_business_plan_define.pdf
    • https://cdn.sqhk.co/pivugituxi/gdjj26n/54360154713.pdf
    • http://vizionsmc.net/air_jordan_1_price_in_pakistancirgn.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5a0534a4-bb72-4cd6-af81-744d7ab47823/maximum_ride_series_summary.pdf
    • https://uploads.strikinglycdn.com/files/ad11208b-392c-44eb-94ea-d3ced7cdc057/does_mind_power_work_solo.pdf
    • https://uploads.strikinglycdn.com/files/06ae2ceb-94d7-460e-82e0-7ab5e3a14d27/gomorekowoxikonuvime.pdf
    • https://uploads.strikinglycdn.com/files/6ce69977-076e-42dd-8dec-35135b6882bf/44866121005.pdf
    • https://uploads.strikinglycdn.com/files/4c6c4ea8-9568-4044-bfc2-65df244eb36e/how_to_answer_tell_me_about_yourself_in_a_university_interview.pdf
    • http://pikubub.onlinewebshop.net/how_to_cook_rice_in_the_electric_pressure_cooker.pdf
    • https://uploads.strikinglycdn.com/files/a89c6458-a71e-485b-a1aa-cae40836418e/posoneraxiguzuwigexoxi.pdf
    • https://uploads.strikinglycdn.com/files/72bf6665-8fd9-4ffb-a3d6-fd651276047e/zofexazajiginopipet.pdf
    • http://disoluje.myartsonline.com/24471353720.pdf
    • https://uploads.strikinglycdn.com/files/467e5696-af20-41eb-af0a-4191e008aea0/85623618533.pdf
    • https://uploads.strikinglycdn.com/files/812fc96c-24e6-4daf-a401-4f0ebf08c4b8/quantitative_methods_for_business_anderson.pdf
    • https://uploads.strikinglycdn.com/files/d9cac802-9a6a-4a50-b9bb-795749bfa8e2/36350405316.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010085.bin
82fdf982e8006969f0b4bc3d0e422c08e9e7f10b757e47662dcc21ec9f104373		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10085 5424 bytes
font_01_sfnt_off000112d7.bin
b30627095b8eac2aaa1c50267a7063cf6de5629bad0ff491c3fc80bff6f9345e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112D7 10824 bytes
font_02_sfnt_off000137fc.bin
b2563e85233037e3c2780690ed1455257f868516b5a962e54e6ffe29314c9cb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137FC 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.