Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8a0d80e588a3a49…

MALICIOUS

PDF

80.2 KB Created: 2021-05-11 19:30:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c8a12b25126dc03347e2fb172f030147 SHA-1: d6512b50ee15b09b6d93c4dd5d468509c871fe1d SHA-256: e8a0d80e588a3a4996e17a5075b983a3a7f7d471da55e393723f26c768a6d223
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain, identified as malicious by ClamAV and ML classifiers. The document body, though heavily obfuscated, appears to reference 'Marketing management kotler 15th edition summary', suggesting a lure to entice users to click the malicious link. No scripts were extracted, but the presence of the malicious URL and the high confidence verdict indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=marketing+management+kotler+15th+edition+summary
    • https://cdn.sqhk.co/vatomepipiw/ijUibhj/62391374886.pdf
    • https://cdn.sqhk.co/mopewedote/hexnidW/ap_module_grade_7_2nd_quarter.pdf
    • https://cdn.sqhk.co/savunowudob/iggfhdK/28833324420.pdf
    • https://cdn-cms.f-static.net/uploads/4380086/normal_6066d83c4dc4e.pdf
    • http://kogegoleteneka.iblogger.org/how_to_fundraise_with_a_restaurant.pdf
    • https://cdn.sqhk.co/nogorodizet/hhfkhfe/87020604996.pdf
    • https://cdn-cms.f-static.net/uploads/4374379/normal_605f53444ace6.pdf
    • https://cdn.sqhk.co/nexetifosam/hWACW6q/icy_hot_alternative_while_pregnant.pdf
    • https://cdn-cms.f-static.net/uploads/4366319/normal_5fe8102236d7f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/retisovojor/o_que__a_palavra_uniformemente.pdf
    • http://bojifif.rf.gd/different_forms_of_energy_and_their_sources.pdf
    • http://fasilew.epizy.com/62194096288.pdf
    • http://dinoxisajuz.rf.gd/aplikasi_kamus_arab_indonesia.pdf
    • https://uploads.strikinglycdn.com/files/ea9571f1-afa9-44e8-9aa8-7cb81febdc51/arris_sbg6782-ac_manual.pdf
    • https://uploads.strikinglycdn.com/files/fa2b93c2-af31-40ee-a62d-3d8f14ab1362/67022769558.pdf
    • https://uploads.strikinglycdn.com/files/2210da8f-3324-4bb7-9220-34b3037888ae/luboluze.pdf
    • https://uploads.strikinglycdn.com/files/fcc1c208-34d1-4336-a7cd-fad655c36974/how_many_calories_in_wendys_10_piece_spicy_nuggets.pdf
    • https://s3.amazonaws.com/dukavunivifa/kagometevesifevosube.pdf
    • https://uploads.strikinglycdn.com/files/bf6bc5d0-d006-4b9f-aa09-11b8c201e859/how_to_renew_an_expired_ham_radio_license.pdf
    • https://s3.amazonaws.com/sajatesawodiji/how_to_add_google_reviews_to_wix_site.pdf
    • https://s3.amazonaws.com/pululusodogi/hp_officejet_pro_8600_plus_driver_mac.pdf
    • https://uploads.strikinglycdn.com/files/7f8e89a8-9470-41cb-b211-dc71f12195bd/65619104281.pdf
    • https://uploads.strikinglycdn.com/files/64dd5e31-bc70-4619-a663-2a34f2672bbf/who_was_elected_vice_president_of_the_new_republic_of_texas.pdf
    • https://bit.ly/2UHBf06
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f974.bin
b83772442b7871870f684d4bbabf098fdd1b4d85de9c49465b687f0a2e5a2f8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF974 5588 bytes
font_01_sfnt_off00010c66.bin
62f3dcbc83a198e550ae3ffd691acfcaf1dc6fc8bf35384b03a25a587b5aebab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C66 11476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.