Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea95e0523607e61c…

MALICIOUS

PDF

77.3 KB Created: 2021-06-09 22:12:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: f6359075673c2e12099910f5aeebbbc6 SHA-1: 57b0abab5e178e0d652c36290c93cc54e42cc5d6 SHA-256: ea95e0523607e61c760d5f7c453d803d094f6b3ee69c180c951e8f7e0b51ba7a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. It contains an embedded URL that, when clicked, leads to a suspicious domain. The document body, though heavily obfuscated, suggests a lure related to a 'general knowledge quiz'. No scripts were extracted, but the presence of an external URI and the overall detection profile point towards a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/pbw?utm_term=general+knowledge+quiz+class+7 PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4387410/normal_5fc75fbdbb6e9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4477649/normal_60485cfdaea2a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388818/normal_6066e7b321549.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4408009/normal_5fe0d6fd59df5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420430/normal_5fd19bf9b797a.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/f683805b-b41f-43c9-8f89-387e4533a9d0/five_nights_at_freddys_game_online_4.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dbe63a42-100c-489c-b2a7-dc3378e28051/zoom_video_conferencing_guidelines.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6a920a4e-fa97-425f-a68d-0171ce87909b/air_force_academy_colorado_requirements.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc7e6cbe-cfcc-4601-9332-82c0eb25c4ab/83957312338.pdfIn PDF document text
    • http://fulusivijomu.pbworks.com/w/file/fetch/144438327/papivugixoponol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/413f4bf7-f41e-4b00-9cc9-f5e63f05d7c0/14265079741.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7baee251-a5f6-4e04-84e8-7deba40c1f6b/89463554235.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ca3a8178-4d44-4610-b808-3c01c2a7bd5e/superficial_vein_thrombosis_treatment_uptodate.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26b446df-3d1d-4ad7-83c0-0eaa997f395f/womofibuverunut.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/610dd360-20e5-488d-b0d3-a5b911d81f2a/kixupiga.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cd55faa-b889-4d73-baaa-a6419e6f4aa2/easyclocking_tech_support.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9957e8b5-37c2-4278-879c-46ba56311660/ms_office_2013_free_download_with_crack_file.pdfIn PDF document text
    • http://tusawijer.pbworks.com/f/what_is_the_principle_of_hydraulic_lift.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b2e2bc4-37d2-4241-9b85-e759705e3683/27206752190.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f5d223eb-898d-448b-9639-b131fb3cbb77/french_vocab_words_flashcards_app.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e1a4d39-9d1e-48f3-93db-1f2e36c5d64d/99750223014.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED94 5552 bytes
SHA-256: e86b225c5e9bed52f0395490e31cdc303e6e259b37ee767005437bfb8ebaff84
font_01_sfnt_off000100a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100A4 11236 bytes
SHA-256: 26bc38d1517948ebc6be061da8c0108690d05dc8112c28c859847c8b81866087