Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebfe5ed08b083440…

MALICIOUS

PDF

83.8 KB Created: 2021-05-29 17:03:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 12f01f7d788cde683313c7b626cec3a9 SHA-1: 3dcc331a30adbfef51f08ea1961b39af7e688296 SHA-256: ebfe5ed08b08344085edf552089891c539862c157f70e0b67a072743bcfb9b97
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The embedded content, though heavily obfuscated, suggests a lure related to 'phone id faker mod apk unlimited credits'. Several URLs within the document point to PDF files hosted on various websites, likely serving as download locations for the malicious application.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://rmissio.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160830216e379b---97680573054.pdf
    • https://sdyh.gr/wp-content/plugins/super-forms/uploads/php/files/7jik5b8v2ca10895ltpsscdau0/fubejewimi.pdf
    • https://htfcompact.com/wp-content/plugins/super-forms/uploads/php/files/5a4c65d2190cb9027721f444e72734b3/sukenuxeburunoginizafum.pdf
    • https://www.swx.global/wp-content/plugins/super-forms/uploads/php/files/b7e619de7241ca69f02548041b6135e5/5520418144.pdf
    • https://asset-books.com/userfiles/file/bafavidazi.pdf
    • https://www.lumisolar.pe/wp-content/plugins/formcraft/file-upload/server/content/files/160706b7dd61ee---3422882249.pdf
    • https://www.fifatravels.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609055f3a3226---sosumuvabi.pdf
    • http://recruiters-zone.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608240c4aa373---seforesok.pdf
    • http://paymentsbusiness.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160878aa5c6960---38072372088.pdf
    • https://mithermomix.com.mx/wp-content/plugins/super-forms/uploads/php/files/452fd7eba981240b9e19c2d05c1ffebc/jafigarinefubun.pdf
    • http://beloezoloto.ru/userfiles/file/dagipubelara.pdf
    • http://c2mag.com/wp-content/plugins/formcraft/file-upload/server/content/files/160873d7ded423---webefanuv.pdf
    • http://lucann.com/Upload/file/woxisajejaze.pdf
    • http://www.miamiairportlimo.net/wp-content/plugins/formcraft/file-upload/server/content/files/160abd415e538d---lazipigomubowo.pdf
    • https://hotelritariccione.it/wp-content/plugins/formcraft/file-upload/server/content/files/16096a038e0bba---11072325544.pdf
    • https://playgametoday.ru/wp-content/plugins/super-forms/uploads/php/files/71bc69707ce483c1aa7a53115b97466f/76683084111.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=phone+id+faker+mod+apk+unlimited+credits
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d833.bin
ac4ab637f25efbcb88c93ce5875283a0bf19e2f7928aa941be1eb3880bd3ca43		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD833 5344 bytes
font_01_sfnt_off0000ea20.bin
3eadf3ff1ae85f7a2dd8be852d633ca148c1d24200a16cbd4325889adc5789c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA20 2140 bytes
font_02_sfnt_off0000f3fa.bin
d9c1f0cff5a0791f1d3e6f410fa89f8a6c453b6daccc91d1099cf990d37c91f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3FA 10980 bytes
font_03_sfnt_off00011988.bin
e112d1727f084c4c0b09e65035c88174b2194a39a20995b8457e204583f97d2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11988 17516 bytes
font_04_sfnt_off000132f9.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132F9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.