Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9d94a177f3255ed…

MALICIOUS

PDF

74.6 KB Created: 2021-02-21 04:54:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6db5f60f4cf776a7b5b412cad746a351 SHA-1: dbc9ed36f2f37d764d465fc2c8b45c801b26d0be SHA-256: e9d94a177f3255ed1c2eaf836c9c7ca4cd6f5d60722ad46a60eea27ea465d414
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. It contains numerous embedded URLs, with one prominent URL suggesting a lure related to 'Superman family comic'. The presence of embedded URLs and the nature of the detection suggest the document is designed to redirect users to malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=superman+family+comic
    • http://onenature.space/davifosugigigojuziyyakd.pdf
    • https://cdn-cms.f-static.net/uploads/4472479/normal_6012e8e52942f.pdf
    • http://copyrightshelpscenters.com/59241907606xpjnh.pdf
    • https://bagobizofenagex.weebly.com/uploads/1/3/4/7/134767931/poravaradov.pdf
    • https://cdn-cms.f-static.net/uploads/4378157/normal_5fd3008f44f0e.pdf
    • http://begemotiks.fun/bootstrap_4_form_submit_buttond1bpv.pdf
    • https://nejaxadutoxukax.weebly.com/uploads/1/3/4/6/134622523/6784305.pdf
    • https://bamigifumu.weebly.com/uploads/1/3/4/4/134443618/zexomopakatuvana.pdf
    • http://krokoboko6.xyz/preschool_mom_worksheetsba17s.pdf
    • https://cdn.sqhk.co/wobuwozavenu/JFjbhjJ/99644086788.pdf
    • https://cdn.sqhk.co/sedazozesufu/b0gdpLh/tixori.pdf
    • http://lessonsonline.site/how_to_use_flir_one_proggovd.pdf
    • https://jokuduzasaru.weebly.com/uploads/1/3/1/3/131381103/3add21ad3520.pdf
    • https://cdn.sqhk.co/gofelaxes/cxI7lii/panik_butonu_bileklik.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8df.bin
9a3b6b47f8c597f7cac8226fc410135f9a4604b98a895aa3d05a2ced615e0a2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8DF 5188 bytes
font_01_sfnt_off0000fa7d.bin
e7917c05c9fdacdb5c199d40e70ab775e76459b83516cfe20343d26f5ed9d521		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA7D 10232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.