Malicious PDF — malware analysis report

Static analysis result for SHA-256 eefdae365ec44341…

MALICIOUS

PDF

105.3 KB Created: 2021-04-02 01:50:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e8e442aaffef26c5d95223d279862462 SHA-1: 993a783fcd7267dbf9bc43016fcc42d2a7f39257 SHA-256: eefdae365ec44341ce756239c4b24a20a83b9f4aaea695c070dff2916f1396ef
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The embedded URL `https://jumiwimov.ru/award?keyword=obc+caste+form+pdf+rajasthan` suggests a phishing lure related to caste forms. Although no scripts were explicitly extracted, the PDF structure and the nature of the URL point towards a phishing attack, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=obc+caste+form+pdf+rajasthan
    • https://cdn-cms.f-static.net/uploads/4367308/normal_6047507a49232.pdf
    • http://jogemijafiw.22web.org/honda_rebel_250_engine_upgrades.pdf
    • https://cdn.sqhk.co/lilavokolet/hV4U8ih/pocket_bully_for_sale_in_dallas.pdf
    • https://cdn-cms.f-static.net/uploads/4409248/normal_6064166172e57.pdf
    • https://static.s123-cdn-static.com/uploads/4384030/normal_5ff89cef28fc1.pdf
    • https://static.s123-cdn-static.com/uploads/4463279/normal_5ff2b330b5cba.pdf
    • https://cdn-cms.f-static.net/uploads/4465262/normal_602e0e5c477a7.pdf
    • http://vejobazure.22web.org/27646421235.pdf
    • http://fumerox.iblogger.org/ppt_templates_for_seminar_presentation_free.pdf
    • https://cdn.sqhk.co/mogowepuw/rjigRhi/parler_a_mon_pere_meaning_in_english.pdf
    • https://static.s123-cdn-static.com/uploads/4381105/normal_5fe4059da49dd.pdf
    • https://cdn.sqhk.co/pobumepova/ggic4hg/gedifukup.pdf
    • https://static.s123-cdn-static.com/uploads/4366316/normal_5fc9a3112678b.pdf
    • https://cdn.sqhk.co/fiseguvugele/a4t6GBZ/does_not_commute_apk_premium.pdf
    • https://static.s123-cdn-static.com/uploads/4501229/normal_5ff027e4c7d79.pdf
    • http://zelafagilu.iblogger.org/wevojetefereragile.pdf
    • http://felezebelitex.iblogger.org/brocade_6505_datasheet.pdf
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://zividovapajawuv.epizy.com/pamunedak.pdf
    • http://bususetut.epizy.com/falemu.pdf
    • http://mosetewugalivu.epizy.com/methods_of_acquiring_archival_materials.pdf
    • http://kepelagivon.rf.gd/rajesal.pdf
    • http://litomoli.epizy.com/64537931883.pdf
    • http://kokitivem.rf.gd/tapadalososeki.pdf
    • http://vevosewis.rf.gd/lorazepam_davis_plus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off0001649b.bin
06aec766f864757fbb815ff30c124bfa2d5ab39dabe604a22b5e83650597c3b1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1649B 16696 bytes
font_00_sfnt_off00010bda.bin
cb7f7666eb9da14ec290cc59fa0c99da4c1dc1a005d8b5463ee710f566b01acc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BDA 5348 bytes
font_01_sfnt_off00011dd6.bin
8db1fcac6a051e5292f9574203c29960a7175fa6551e121e4b5807a29dea325f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11DD6 10372 bytes
font_02_sfnt_off00014180.bin
96e06106e3006553386fba87c243c4a28b622411f61b38071404873282de63a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14180 16172 bytes
font_03_sfnt_off0001569b.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1569B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.