Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea716ea14fd6f954…

MALICIOUS

PDF

104.1 KB Created: 2021-03-19 04:20:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c79be8b9e9548e06a3632363897fa065 SHA-1: 2efba9ff492918b75c1e3e029684d38f5f37d466 SHA-256: ea716ea14fd6f95472069c15f67d0c9771392bc600af06f01fc4afcb4f9196e8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI that leads to a suspicious domain, likely intended to trick the user into visiting a malicious site. The document body, though heavily obfuscated, contains keywords related to the embedded URL, suggesting a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9936

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=placer+union+high+school+district+superintendent
    • http://kovamuwaropepu.getenjoyment.net/lifurorutizilejuvopipek.pdf
    • http://tipofeliluget.medianewsonline.com/pizezazogowadulovobemir.pdf
    • http://ripotomip.iblogger.org/how_to_compute_dividends_mp2.pdf
    • http://sorebifisawug.22web.org/depumuden.pdf
    • http://mivejuvididu.66ghz.com/21005195819.pdf
    • https://cdn-cms.f-static.net/uploads/4495246/normal_6023e6013eda0.pdf
    • http://faxixovojaja.sportsontheweb.net/vargmul_1_to_100.pdf
    • https://cdn-cms.f-static.net/uploads/4365553/normal_601ce3d0d4abf.pdf
    • http://moradudipomibo.mypressonline.com/79752867891.pdf
    • http://legegapepapo.medianewsonline.com/edgar_allan_poe_libros_corazon_delator.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://113c517c-d7b0-4b36-99d7-6722bcb7ef36.filesusr.com/ugd/8e66a5_98e6e679c6bc461d82520eaf78f45882.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e4449a12-975f-4529-a06d-719b0ae26f79/41830109005.pdf
    • https://27dd58ca-3bab-4825-b0a2-cb75a9f796de.filesusr.com/ugd/aba4c5_d30e309690d1437fa6ed63945d8bb32c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/79073f23-13fa-464a-9005-a754a77fa97b/i_102_how_long_does_it_take.pdf
    • https://19972ee8-34f0-4900-8009-9f590161cd02.filesusr.com/ugd/64db51_c84f10458e784e6781f6081a31ed6134.pdf?index=true
    • http://vovijez.epizy.com/wugodagub.pdf
    • http://koriwowofupawaf.epizy.com/bed_sheets_latest_designs.pdf
    • https://uploads.strikinglycdn.com/files/32e5bf44-b7eb-4cb1-94dc-1828918cbc55/latefixozubusopikeniwuk.pdf
    • http://noluduji.epizy.com/14582385757.pdf
    • http://repikigerudu.rf.gd/10491831901.pdf
    • https://77483064-5892-4b52-b419-66e751946b77.filesusr.com/ugd/ef7b09_ce7a020f44e94d2fb0061c4c98d1bbf7.pdf?index=true
    • http://ginisanekuxowo.epizy.com/gigafanoveve.pdf
    • https://a9750898-a066-404d-a796-54a2f5ad13bb.filesusr.com/ugd/60231a_d4945566bf1744d39d2facfe42676db5.pdf?index=true
    • http://lawuzuzadi.rf.gd/jatafanero.pdf
    • https://uploads.strikinglycdn.com/files/1e9ddeab-cdde-442d-98ef-c15fea8c7f3a/nubenafe.pdf
    • https://uploads.strikinglycdn.com/files/cdf78ecf-9176-4f4f-b214-17280e654ed9/exploring_writing_paragraphs_and_essays_3rd_edition_free.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000149e2.bin
3110b8df96bdc1a482225e8f4ba8a61cc9af6115ab3ee9e02ad152e70c60aca5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x149E2 5220 bytes
font_01_sfnt_off00015b8d.bin
87a3f0929faa6164d2be68be97b4d176a43481a51b6db783a8c841dcccb1444e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B8D 11852 bytes
font_02_sfnt_off000183e0.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x183E0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.