Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee1f3be7e5b15f4c…

MALICIOUS

PDF

93.7 KB Created: 2021-03-10 03:31:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c5ef54292cd91d203c787220bb772dfe SHA-1: db98ec419c67db350bf05cba07fe1d0c54610a75 SHA-256: ee1f3be7e5b15f4c463c7f57a2584638fe1fa515899d5231f7691ec8e6e609f3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing site or download further malicious content. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of multiple unknown URLs suggests a broad phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9898

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/wix?keyword=lumaslim+arctic+root+reviews
    • http://diporesorojina.scienceontheweb.net/77026814850.pdf
    • https://kowadesilokawu.weebly.com/uploads/1/3/4/2/134265693/kigenaxa-tekitaj.pdf
    • http://hayatevesigar.online/african_philosophy_culture_and_traditional_medicine5km3i.pdf
    • http://delojenopow.66ghz.com/birthday_banner_design_eps_free.pdf
    • http://libuwapuvewipev.mywebcommunity.org/wheels_of_life_book_anodea_judith.pdf
    • http://tevaruv.sportsontheweb.net/wofan.pdf
    • https://rizegenaw.weebly.com/uploads/1/3/4/1/134108854/33d02c4dbad3fb6.pdf
    • https://static.s123-cdn-static.com/uploads/4475847/normal_5feb00a867f5c.pdf
    • http://lelekelosutov.getenjoyment.net/78605136171.pdf
    • https://cdn-cms.f-static.net/uploads/4444104/normal_600eb41e9cb18.pdf
    • https://static.s123-cdn-static.com/uploads/4408596/normal_5ff687d83775b.pdf
    • http://finuxezanasa.mygamesonline.org/wizards_first_rule_hardback.pdf
    • http://fivabigenarewo.22web.org/pudavatuluwig.pdf
    • https://static.s123-cdn-static.com/uploads/4446645/normal_5fccb8d626fc5.pdf
    • https://dabefetuxof.weebly.com/uploads/1/3/5/3/135320161/gezutukadukepa-jifubisiramo-gosotefexew-suwalina.pdf
    • https://debovibeki.weebly.com/uploads/1/3/4/7/134715081/5e38170a.pdf
    • https://femuketidoxesi.weebly.com/uploads/1/3/3/9/133997502/22f34e.pdf
    • http://tiktokcopyrighthelpteam.com/molobowosawebc2jr6.pdf
    • http://storeplus.pro/android_oyun_club_dream_league_indirrn556.pdf
    • http://mavitrade.com/libro_de_yordi_rosado_quiubole_paraiwnk5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/b009f412-9b83-4084-9ed3-3b49bee51738/xinawivu.pdf
    • https://uploads.strikinglycdn.com/files/dbac79d6-f95b-40f2-9914-219281f7ada2/xezoritexowogajasev.pdf
    • https://uploads.strikinglycdn.com/files/e928634c-b194-4932-a338-c453714f4c28/delta_shopmaster_scroll_saw_ss200_parts.pdf
    • https://uploads.strikinglycdn.com/files/4de41a02-eeee-4b23-aa72-142b3192ff66/2579802500.pdf
    • https://uploads.strikinglycdn.com/files/13ab331a-cd77-4656-bd33-046954950fcc/argumentative_essay_topics_for_8th_grade.pdf
    • http://sobikunukozi.rf.gd/61627074528.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011acc.bin
a149bfa4f4fd9df19595f902443434304487e8379ad9b8180f74ffb718273091		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11ACC 4816 bytes
font_01_sfnt_off00012b30.bin
0f740872c9ba99ba2808e86ca1aa710947acf25eef927d3004a187dd3557d740		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B30 2092 bytes
font_02_sfnt_off000134d6.bin
11d8f0c23667410900bb91ce1a5b2b16fbba333af381a080faf8278ac8481ff5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134D6 10888 bytes
font_03_sfnt_off00015a06.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15A06 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.