Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8b758fde6ddce29…

MALICIOUS

PDF

80.8 KB Created: 2021-03-26 08:09:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a669d629233b57c3a83b35ce9cf61162 SHA-1: 8035f85cf4500aa22a01f7b06a9b6680876d9585 SHA-256: e8b758fde6ddce29117c928fdb29e0acebe7739305e1309879e8208f8734131b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by heuristics and a machine learning classifier as malicious. The ClamAV detection further confirms its malicious nature. The document body, though heavily obfuscated, suggests a lure related to 'Arabic hit song 2017', indicating a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/123?utm_term=arabic+hit+song+2017
    • https://static.s123-cdn-static.com/uploads/4427287/normal_5fed604831ba3.pdf
    • http://sodaapp.pro/how_to_program_esp8266-01_with_arduino_ide69vzl.pdf
    • https://cdn-cms.f-static.net/uploads/4380228/normal_60491af49aaa4.pdf
    • http://arendagg.xyz/43996787816txxpp.pdf
    • http://blancer.xyz/pulavodipodemamebotu72023.pdf
    • https://cdn-cms.f-static.net/uploads/4462974/normal_603fd4edd0970.pdf
    • http://probmake12.xyz/budget_speech_2018_south_africayngqg.pdf
    • http://nizulekun.iblogger.org/nei_gong_benefits.pdf
    • https://cdn-cms.f-static.net/uploads/4366406/normal_601a32aedaebc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/92f1401b-e9c8-4383-9d2e-3658e6e1d0b2/72114632383.pdf
    • https://5b2b9875-3923-4577-9ef6-0527498c95e7.filesusr.com/ugd/4e6dd5_1ef84dbb039b4b1f915676fec51f220a.pdf?index=true
    • https://s3.amazonaws.com/bezorito/nomepos.pdf
    • http://kulixuvomewono.epizy.com/answer_man_plot.pdf
    • https://a97be2a3-bfb5-42de-bba9-b145341b31aa.filesusr.com/ugd/1f2860_9614ca92449e47fb8f4b32ae049902c5.pdf?index=true
    • https://ca108e69-7b6b-43f0-8f16-d96ebeb8a33d.filesusr.com/ugd/79e0dc_18d60d3abb8e4fe2961681021c4cb485.pdf?index=true
    • https://856cb5e6-6c81-45ce-9604-b57907a15cd2.filesusr.com/ugd/cc3ca9_4ad93e99925448eea4262bb42ed6a424.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6394717c-670a-4626-be19-0c7841c9a8e4/sabuzadebekowufip.pdf
    • https://a68e2ff5-bf17-48e3-82d4-ceb975b85758.filesusr.com/ugd/760101_5ce55ea2a5fa4f25b3cb6ab84b4c52fb.pdf?index=true
    • https://s3.amazonaws.com/vukujidor/capsa_susun_online_poker_free_apk.pdf
    • https://s3.amazonaws.com/pexodugosa/27453351834.pdf
    • https://s3.amazonaws.com/sugowubuf/what_is_a_mental_strength.pdf
    • https://uploads.strikinglycdn.com/files/8d717619-ae0c-4e05-9868-bc742551e9c0/44194124241.pdf
    • http://likifodafiduno.epizy.com/biology_a_level_revision.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fdf5.bin
4c56c8143d0d7239f7cd49d9710ea740875cdbac5da503d6621d7b46527cb702		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDF5 5564 bytes
font_01_sfnt_off000110e8.bin
77cb70dff65322183523dd54f5b7132b5f7c698ef76c0413a76a31894dce4fdd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110E8 10480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.