Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8e114ee0f8a9673…

MALICIOUS

PDF

80.9 KB Created: 2021-03-21 11:28:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-21
MD5: c68e3738fe64117b3956a418847762ae SHA-1: 6cd824c8736d4c6b6bbfae319b461a6645248dab SHA-256: e8e114ee0f8a96737a9b0f8e91d0c65c625cc27373557a93b412f4eb23376588
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. The document body, though heavily obfuscated, suggests a lure related to 'covid 19 and education' to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=research+topics+on+covid+19+and+education PDF link annotation
    • https://xalumalalo.weebly.com/uploads/1/3/4/7/134766869/a8d25034c50.pdfIn PDF document text
    • http://wejesigozolireb.getenjoyment.net/avantree_oasis_plus_manual.pdfIn PDF document text
    • http://shop-onlinediscount.xyz/rowexamotujusojilezunaf2v.pdfIn PDF document text
    • http://gerisekazaleg.22web.org/ibm_qradar_wincollect_guide.pdfIn PDF document text
    • http://construt.site/a_new_leaf_by_francis_scott_fitzgeraldzorsb.pdfIn PDF document text
    • http://pabazumakubonok.66ghz.com/epidemiological_transition.pdfIn PDF document text
    • http://repochka.site/gipugumiferilegebmmfn.pdfIn PDF document text
    • https://zipesonavizi.weebly.com/uploads/1/3/6/0/136052153/xawegoregegov.pdfIn PDF document text
    • http://faceskinagainbeauty.xyz/1316667095gn8lk.pdfIn PDF document text
    • https://dapavivilo.weebly.com/uploads/1/3/4/8/134895477/luvuduguwuse.pdfIn PDF document text
    • http://store50off.info/801598966833brjb.pdfIn PDF document text
    • http://voztrans.ru/great_unclean_one_datasheetmvuvv.pdfIn PDF document text
    • https://kusovagojevo.weebly.com/uploads/1/3/4/8/134883394/pobumozezovave_retuzo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://zajupulavofawi.myartsonline.com/how_to_memorize_exact_trig_values.pdfIn PDF document text
    • https://s3.amazonaws.com/gadumagabusodel/australian_visitor_visa_form_1149.pdfIn PDF document text
    • https://s3.amazonaws.com/tonemakopinibem/japur.pdfIn PDF document text
    • http://bojifif.rf.gd/riven_guide_season_9.pdfIn PDF document text
    • https://s3.amazonaws.com/dumupa/20238640935.pdfIn PDF document text
    • http://pudunajuge.rf.gd/callablestatement_jdbctemplate_example.pdfIn PDF document text
    • http://gupexofuvesok.epizy.com/44293776046.pdfIn PDF document text
    • https://s3.amazonaws.com/rujabepifar/diaphragm_seal_pressure_gauge_datasheet.pdfIn PDF document text
    • https://s3.amazonaws.com/kozibowisenatu/what_is_the_average_salary_for_an_anesthesiologist_assistant.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb2e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB2E 5404 bytes
SHA-256: a1999c957993fe3f1a80b0036011357fab2b8a6bda05666e5156d8aba58ddc2b
font_01_sfnt_off00010d95.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D95 12112 bytes
SHA-256: 5595cb463b310790963ab57821aeabde22a5cd930c5cb22e3a011eed093546ec