Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb41559c019bc37f…

MALICIOUS

PDF

101.6 KB Created: 2021-03-09 04:48:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 890a9512e7905c0d5cf8c0b24be00bbb SHA-1: c91e421b2c099f0745e7da17615886a0b42e09d7 SHA-256: eb41559c019bc37fc8da543cf7a253978c5305cb11905831e80c0286c871de44
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified as malicious by ClamAV and ML classifiers. The document body, though heavily obfuscated, suggests a lure related to 'emoji football quiz answers', which is a common tactic for phishing or malware delivery. The presence of external URIs indicates an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=emoji+football+quiz+answers+2018
    • http://xokenijogowupe.22web.org/english_font_style.pdf
    • https://cdn-cms.f-static.net/uploads/4391319/normal_602c35b4cd657.pdf
    • https://static.s123-cdn-static.com/uploads/4449779/normal_5ffed0bc2676a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/ec0ebc64-e229-464e-96a5-680d49317593/harry_potter_book_treasure_chest.pdf
    • https://s3.amazonaws.com/natewared/coleman_mobile_home_furnace_manual.pdf
    • https://uploads.strikinglycdn.com/files/a2d3b390-67d5-4cf5-abb5-2f267a5b85dd/53141226395.pdf
    • https://s3.amazonaws.com/nunakixuma/47812561165.pdf
    • https://uploads.strikinglycdn.com/files/74ea065d-715a-4ec3-8245-13d4fce9a153/what_is_the_physiology_of_breathing.pdf
    • http://fesenobonirizu.epizy.com/dililuvuk.pdf
    • http://wotanuxofewaru.rf.gd/suwezatubida.pdf
    • http://xegubidutanaza.epizy.com/rebulofepe.pdf
    • https://s3.amazonaws.com/babetafaperaxov/5th_grade_fraction_to_decimal_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/b01d07f5-2b41-4ff9-bd29-6eded46164d8/how_to_write_an_equation_in_standard_form_given_slope_intercept_form.pdf
    • https://uploads.strikinglycdn.com/files/66368207-2891-4681-b6ed-85352fa4d8cb/what_was_the_pinckney_treaty.pdf
    • http://filanovedo.rf.gd/45669360254.pdf
    • https://uploads.strikinglycdn.com/files/2c0e201b-1c3e-42f1-a1f2-54f3f5986921/ronazofanutokekija.pdf
    • https://uploads.strikinglycdn.com/files/804b7d7e-5828-460a-aa3c-210e9c8c2569/what_is_a_disadvantage_of_solar_thermal_systems.pdf
    • https://uploads.strikinglycdn.com/files/79d027e9-3ef3-4b02-91d4-04b4d888434c/roreziser.pdf
    • https://s3.amazonaws.com/navoburarovada/jerizofafiduwefunob.pdf
    • https://s3.amazonaws.com/lezerawe/6519869285.pdf
    • https://uploads.strikinglycdn.com/files/cae8868c-2295-4e21-ae2b-757d17347e2e/15464120161.pdf
    • https://s3.amazonaws.com/pusori/59268859529.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010da7.bin
f8e242ac907bfa6c86615f3c68a5ced06f5b211edda013d4efd3e59dd45f786a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DA7 5756 bytes
font_01_sfnt_off00012140.bin
5f1270ab7615b1b6c905e9ac22955d000716b4249419526b119a3a67c151c98d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12140 8108 bytes
font_02_sfnt_off00013c35.bin
f8be9d981b9f18fbe6d6b47bc810ac53d5bf27ad4f2a62e9e7bea99ba393ec50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C35 11980 bytes
font_03_sfnt_off000163fe.bin
05c0809caf3c964cccd60e7cfe9f3752dd74f889ee1e657210f81b1c82280a7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x163FE 16248 bytes
font_04_sfnt_off00017955.bin
1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17955 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.