Malicious PDF — malware analysis report

Static analysis result for SHA-256 e905e760503bac7a…

MALICIOUS

PDF

74.7 KB Created: 2021-03-15 20:48:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fa66d571a79b4e89570bb94ba51708fb SHA-1: 7547114ad945261ce99b598b94f6c0e4d3cb2fab SHA-256: e905e760503bac7adedd2af05d9d9fb403731d3bb66422ed8197bcc19352fcf5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL, 'https://botokaw.ru/aws?utm_term=how+to+pair+plantronics+backbeat+fit+with+laptop', is likely a phishing lure to a site designed to exploit the user. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest an attempt to redirect the user to a malicious resource, consistent with a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/aws?utm_term=how+to+pair+plantronics+backbeat+fit+with+laptop
    • https://baduzizexajozej.weebly.com/uploads/1/3/4/6/134653824/fupejolerebevoba.pdf
    • http://proita.fun/22878137853hr6sl.pdf
    • http://romeital.space/architecture_company_profile_samplexad74.pdf
    • http://get3creditscores.info/kikemudutatuwesumi83nap.pdf
    • https://xososikanezav.weebly.com/uploads/1/3/4/8/134892973/tozisetuwokob-rorule-jogate-refujaf.pdf
    • http://itclick.pro/78509111882h7qop.pdf
    • https://legobunisazej.weebly.com/uploads/1/3/4/5/134501617/dugutalemuzitame.pdf
    • http://zivasajotafu.iblogger.org/83918004686.pdf
    • https://fepafevadaxajaw.weebly.com/uploads/1/3/4/0/134095897/541dd976.pdf
    • http://icily.xyz/toshiba_tv_screen_goes_black_after_a_few_minutesf3rah.pdf
    • https://rogebanapixiwo.weebly.com/uploads/1/3/5/3/135343373/sezinamenaj_loxetuw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/geradi/95719730573.pdf
    • https://uploads.strikinglycdn.com/files/c56dfb4d-337a-4632-8b89-fedd40704265/actions_the_actors_thesaurus_download.pdf
    • https://uploads.strikinglycdn.com/files/f919dd15-5300-4a1a-8cf2-23a013f7ea5e/33087295593.pdf
    • https://s3.amazonaws.com/xedewofuretujo/28342727085.pdf
    • https://uploads.strikinglycdn.com/files/6ab986da-d2fa-44bb-a392-9e66bba14956/gumowefewutujomisija.pdf
    • https://1e1f235d-56dd-4976-b20d-d38e3fe7b172.filesusr.com/ugd/210b45_c170f32b50c942ccbffb4022a2eae569.pdf?index=true
    • https://34570882-574e-4d25-8c0e-d8b9b6c2967f.filesusr.com/ugd/cb2bed_6d1e59b5179a4274b0cf2c718fd3f35d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c7cc4724-bf87-4659-9652-0bf691ab0440/jisulatojasi.pdf
    • https://s3.amazonaws.com/wewuxuviwar/biladojanorusikoji.pdf
    • http://xumizimewimapa.epizy.com/40082349750.pdf
    • https://s3.amazonaws.com/tugabijenovili/gijenavisisirul.pdf
    • https://uploads.strikinglycdn.com/files/e8e1b38f-6648-475f-bda8-f81613efdf2b/pipavorarovimibifarama.pdf
    • https://5a1138df-423b-4a5d-a7c7-36223740754e.filesusr.com/ugd/a72fa8_d7e3a894cf134c27a19b63212825c531.pdf?index=true
    • https://s3.amazonaws.com/xalexojaxipud/kathi_mela_kathi_audio_song_ringtone.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e55f.bin
e11c6f3c9cd8bd2ff206bd8f177a22ddb08988a9d1c2c814be483dc26add40fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE55F 5360 bytes
font_01_sfnt_off0000f7a0.bin
eb992107209801cb75d1df374f5176c9c44d665dd32ee386eb40124702ffa97d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7A0 11016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.