Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2feef9d26db57e9…

MALICIOUS

PDF

84.0 KB Created: 2021-03-25 08:28:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 59ea1dc3e4dba43f4ea2a678dc491e7d SHA-1: b83b33a3a2c4ecb8649c04707824aa2ae5eee934 SHA-256: f2feef9d26db57e934af526adaba5634dcca2871b71052b445a5d71c7514c45b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also strongly flagged this PDF as malicious. The document body, though heavily obfuscated, appears to be a lure related to TV guides, intended to direct the user to the malicious URL for potential phishing or malware download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=charter+tv+guide+south+lake+tahoe+ca
    • https://cdn-cms.f-static.net/uploads/4459482/normal_6013400278f3d.pdf
    • http://potenciy.xyz/83351396391advzt.pdf
    • https://xevefozivoro.weebly.com/uploads/1/3/5/3/135339272/vufetetotelalef_gemofigo_kejesu.pdf
    • http://cashthe.ru/23502208244iw1ob.pdf
    • http://vamoktin.ru/pellegrino_artusi_cookbookb9mq1.pdf
    • http://meetsucre.pro/kivejipazimanknkbc.pdf
    • https://fafevidelaxikez.weebly.com/uploads/1/3/4/4/134481631/e0066.pdf
    • https://gosazakinuda.weebly.com/uploads/1/3/4/8/134861856/mumeseg-wozanovawemubu.pdf
    • https://cdn-cms.f-static.net/uploads/4470389/normal_604ecf7dbbf2d.pdf
    • http://moxupasasitote.mywebcommunity.org/candida_diet_plan_menu.pdf
    • http://pexawegowe.mywebcommunity.org/biozone_ib_biology_second_edition_answers.pdf
    • http://lizoguxumugef.mywebcommunity.org/facts_about_parallel_and_perpendicular_lines.pdf
    • http://jikusofare.mywebcommunity.org/barilisipuv.pdf
    • https://cdn-cms.f-static.net/uploads/4423136/normal_5fd788f9356ed.pdf
    • https://topigofifudonif.weebly.com/uploads/1/3/5/3/135304546/rosopulopuvopadezu.pdf
    • https://static.s123-cdn-static.com/uploads/4390681/normal_5fca33803fc5a.pdf
    • https://static.s123-cdn-static.com/uploads/4489245/normal_5ff92ce8ada84.pdf
    • http://rolapisi.scienceontheweb.net/31114153531.pdf
    • http://arm-watch3.club/1950981385amn7l.pdf
    • https://darefosal.weebly.com/uploads/1/3/4/6/134601331/gumejubekadetusudit.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://xonolori.atwebpages.com/zulolobubixexotafuwase.pdf
    • http://nomamazuzut.atwebpages.com/total_thyroidectomy_procedure.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ed0e.bin
0eac1552a6a0cc8d6d43e14f5c157d052ff2bf21460314f67a2c213e0a454e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED0E 6744 bytes
font_01_sfnt_off0000fdc4.bin
b3dfb2f2c41da7350fc3755141d2fd0ea5796bb125df25fec831093623ff73df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDC4 2900 bytes
font_02_sfnt_off00010807.bin
62b81a7fb0817df9e42cb010b697cdad75d862c8dcde107847c06d0c67d3a80c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10807 5228 bytes
font_03_sfnt_off000119d0.bin
339fb3c146505731286e680e92dee468e8394bde0daf2d694586dc7f26e1de2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119D0 11184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.