Malicious PDF — malware analysis report

Static analysis result for SHA-256 effb8a9ae2a11a47…

MALICIOUS

PDF

226.0 KB Created: 2021-03-30 01:05:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: eb79af982b018a6f2645d37008a6b1e1 SHA-1: b93e3ae8e19f03bbf97440499618c23170f1ff97 SHA-256: effb8a9ae2a11a47addb8714c93acfe376d8444cbf969fe6229ea6f10aace88c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://leonvi.ru/award?keyword=bhagwan+shree+rajneesh+books+pdf', which is likely a phishing lure. While no scripts were explicitly extracted, the presence of embedded URIs and the nature of the detection suggest it is designed to redirect users to malicious content, potentially for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9843

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=bhagwan+shree+rajneesh+books+pdf
    • http://edarudost.online/7959946781pw7qh.pdf
    • https://cdn.sqhk.co/xurawupo/hhgwNjj/2016_iihf_world_championship_canada_roster.pdf
    • http://cadenalia.com/guvezuduxsu2jg.pdf
    • https://rawewarox.weebly.com/uploads/1/3/1/3/131379085/bda3e.pdf
    • http://bepifukikuku.mygamesonline.org/corpus_linguistics_book.pdf
    • https://cdn.sqhk.co/perikowep/iaFtRvO/vatibujodugozajizotomot.pdf
    • https://cdn.sqhk.co/ledodatefu/hajgJlS/disodegopuxozaxuvekeva.pdf
    • https://baseparefawufif.weebly.com/uploads/1/3/1/4/131453046/da2a2288d324.pdf
    • https://gepagalegizexu.weebly.com/uploads/1/3/4/4/134478943/witozigukemezewini.pdf
    • http://rugegav.mywebcommunity.org/gadotobatupilupux.pdf
    • http://jasetukuxazep.22web.org/10201790112.pdf
    • https://cdn.sqhk.co/pekotegafod/Zmejgjh/large_rc_speed_boats.pdf
    • http://gromstroy.com/how_to_get_a_knot_out_of_a_yoyo_string0z8g5.pdf
    • https://cdn.sqhk.co/mekibekowufe/TPnHoid/kewexujejugo.pdf
    • http://nosinoski.shop/sofewumezagadelipijugs08g.pdf
    • https://lasapiboxemifol.weebly.com/uploads/1/3/4/8/134865682/4664378.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://sidakofonol.epizy.com/newspaper_articles_on_school_uniforms.pdf
    • http://xutizekuf.epizy.com/94874162263.pdf
    • http://lesidiwajenowil.myartsonline.com/carnatic_music_book_in_malayalam.pdf
    • http://kikanelomer.onlinewebshop.net/circle_worksheet_grade_7.pdf
    • http://xikisefux.epizy.com/51663704921.pdf
    • http://pezamax.myartsonline.com/deepika_malayalam_calendar_2020_free_download.pdf
    • http://vakizonozajaxe.onlinewebshop.net/97294587655.pdf
    • http://vuzudaru.epizy.com/cuestionario_calidad_de_vida.pdf
    • http://pugazapuxijal.myartsonline.com/boyd_convex_optimization.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00032cf3.bin
e1e0a335fbe959d749e1aaddfb83387df3bcdb2e5caefeda89d7876da81fa4ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32CF3 5692 bytes
font_01_sfnt_off0003405d.bin
c7ce006ece56fcd0e34e84e1ec9ecad6954f8a38de720e5148228c898d9f7fd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3405D 13032 bytes
font_02_sfnt_off00036b8d.bin
934cb9e1c53b6fbf624a1b410e0d386aa27fcf4d4d5ad5c26512d1ed5d68a221		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36B8D 3620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.