Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef3254aed2a63625…

MALICIOUS

PDF

75.6 KB Created: 2021-03-14 17:28:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b5b7e6c798af45880000cd2a4338e4a7 SHA-1: 155bab665ea4fce96d6f07daba8d9a0dfa82d1b9 SHA-256: ef3254aed2a636254d47d07042f6d7180a1434a9fdcaf1bb77a65bbe5e03c650
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URL pointing to a site offering 'clash of clans cheat codes for gold', suggesting a phishing or scam lure. No scripts were extracted, but the presence of an external URI and the overall detection indicate a malicious intent to redirect the user to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=clash+of+clans+cheat+codes+for+gold
    • https://cdn-cms.f-static.net/uploads/4461777/normal_5fdc487540e83.pdf
    • https://static.s123-cdn-static.com/uploads/4411714/normal_5fe1548fd85a5.pdf
    • http://bovinuxunegobi.iblogger.org/kali_linux_basic_commands_with_examples.pdf
    • http://kewegagibemidaj.22web.org/minuet_in_g_major_anna_magdalena_bach_sheet_music.pdf
    • https://cdn-cms.f-static.net/uploads/4419630/normal_5fe939afbb1ea.pdf
    • https://static.s123-cdn-static.com/uploads/4387817/normal_5fe030f7a2b6e.pdf
    • https://cdn.sqhk.co/fedelubu/jjjiGhi/newune.pdf
    • https://cdn.sqhk.co/keridola/vXZbhg4/juvadofirezexavovajuji.pdf
    • https://cdn.sqhk.co/dagosasojo/ghzhgyY/jizemuwabovipav.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3f80fbc6-ac31-4a72-921b-36a3d73902a2/49125357580.pdf
    • http://poxizaxo.epizy.com/37304021741.pdf
    • https://uploads.strikinglycdn.com/files/9e353c55-a540-44ca-bc23-883bc01d2737/jorge_luis_borges_book_of_imaginary_beings.pdf
    • https://uploads.strikinglycdn.com/files/818cafdf-5f9a-4ede-86ca-e8768d4f49d7/jedunetulutewa.pdf
    • http://dufeniwa.rf.gd/ala_vaikuntapuramlo_samajavaragamana_lyrics.pdf
    • https://uploads.strikinglycdn.com/files/ba03e403-81bb-409b-8533-8ee892d52396/a6400_vs_a6500_camera_decision.pdf
    • https://uploads.strikinglycdn.com/files/c47d4add-dc36-4ca5-b73d-27c40cf7f264/is_battle_of_gods_canon.pdf
    • https://uploads.strikinglycdn.com/files/76633861-f3c4-418e-9064-6c0d1091a647/piwovuvununefafimedadewuj.pdf
    • https://uploads.strikinglycdn.com/files/76f3e248-c46f-4871-9d7b-d811ee677e3b/cursos_de_ingls_en_lnea_unam_gratis_2019.pdf
    • http://dodarululi.epizy.com/cardiovascular_system_ppt.pdf
    • http://penevebepor.epizy.com/78884459692.pdf
    • http://wofenexofube.rf.gd/is_the_selection_on_netflix.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb49.bin
745b5541fb5a64d0522075a7bd7cf9eb789aef511e36114126c2b24edc27d907		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB49 5188 bytes
font_01_sfnt_off0000fce6.bin
dd8726cc9d9e2b3b824832c1fa559b34f22f3c6640454642882af08ac47a66f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCE6 10576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.