Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1a3c4d0d4ac3e2b…

MALICIOUS

PDF

79.8 KB Created: 2021-03-23 07:27:19 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 592248b3609b9f2d6aae2f921cc6d1be SHA-1: e8cc31f46d7ebc42d79a7c6bbb1ca6d240631857 SHA-256: f1a3c4d0d4ac3e2b559a2668daade4467226f75eef11a58bfdeba6b37fc4428c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that appears to be part of a lure, suggesting the document is intended to trick the user into visiting a malicious site. No scripts were extracted, but the presence of embedded URLs and the nature of the detection indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=seaway+bill+of+lading+pdf
    • http://flymoney.net/wordpress_admin_panel_default_password9gddx.pdf
    • http://prazdnikprosto.ru/how_to_study_for_ham_radio_license_testbmv6c.pdf
    • http://polystate.ru/marketing_management_kotler_keller_15th_edition50yty.pdf
    • http://vigastlens.xyz/how_long_will_it_take_to_walk_1000_stepsr0wfc.pdf
    • http://tuvugisuxizew.iblogger.org/60833370666.pdf
    • http://ottics.ru/zapinozanedadivexux3d388.pdf
    • http://daating19.site/sexokosaffctkh.pdf
    • http://center-about.com/aplicaciones_motores_de_corriente_directae79tc.pdf
    • http://4338bacchus.com/3214404130555eop.pdf
    • http://alkim.xyz/winnie_the_pooh_personality_test9sseh.pdf
    • http://tohld.in/what_benefits_do_you_get_from_the_navyvjzow.pdf
    • http://pedron.fun/appium_1._6._3_for_macora9v.pdf
    • http://smilex.club/how_much_is_a_2014_jeep_grand_cherokee_worthcapi2.pdf
    • http://hushseo.online/valentine_message_to_my_sister_in_lawbqfug.pdf
    • http://calipshatngaccs1.xyz/chrome_portable_offline_installerh9t7c.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zatazewoz/android_version_9_bluetooth_issues.pdf
    • https://s3.amazonaws.com/makumapikeze/96505671889.pdf
    • https://104e0e48-a4c2-4a03-8647-06ef64d4e6ac.filesusr.com/ugd/e2c6c1_94097736f6a74d3d9f3f36be5875f700.pdf?index=true
    • https://7be8961d-effb-4c78-a255-78c3c9f0be09.filesusr.com/ugd/3dd68e_300f1cd224fd4ab4967f969e6c77e217.pdf?index=true
    • https://s3.amazonaws.com/fewunadupop/answering_phone_calls_from_home_jobs.pdf
    • http://jalofepo.rf.gd/pugijugakiwex.pdf
    • https://92e0cadd-ca3c-497d-ba7d-1aece6ee6da0.filesusr.com/ugd/008e52_a2d5f200f9fd471b86e58a0a5f95458c.pdf?index=true
    • https://19aaccd0-9772-41b6-85c4-be118606641a.filesusr.com/ugd/a12125_6ad133e2f64a4fd89fe9b7ee3f79b6e3.pdf?index=true
    • https://4adff18d-dc39-4349-be2c-eeb12737f1cb.filesusr.com/ugd/9117e0_8defb1ed51904e1da74b700d41ce2734.pdf?index=true
    • https://s3.amazonaws.com/miwolezedubujoz/84514822126.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fbb5.bin
c468aec84c41f6345fde142421a444ded9895b3c4c8a06094580475cd5581cd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBB5 5372 bytes
font_01_sfnt_off00010e2d.bin
774b8ffc620e834fadbcf2e64634e0d171b7d0877648ce1c481be961b9363e1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E2D 10308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.