Malicious PDF — malware analysis report

Static analysis result for SHA-256 f523dc55dd26daa4…

MALICIOUS

PDF

76.3 KB Created: 2021-03-14 15:01:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ac51495da2b68c755ed46af21affa1a0 SHA-1: bd121c9612e734bc9ddb384177c8e0219622e430 SHA-256: f523dc55dd26daa42781724984995876ba93cb00ded04c01baa8880453c6c4b1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'leonvi.ru', which is likely a phishing or malware distribution domain. The document body, though heavily obfuscated, appears to contain metadata related to 'Atex zone classification.pdf' and the wkhtmltopdf application, suggesting a deceptive lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/award?keyword=atex+zone+classification.+pdf
    • https://static.s123-cdn-static.com/uploads/4491426/normal_5ff3b64343b7d.pdf
    • https://static.s123-cdn-static.com/uploads/4379377/normal_5feb97c8a1947.pdf
    • https://static.s123-cdn-static.com/uploads/4382193/normal_5fec9cd359ae7.pdf
    • http://levotavo.scienceontheweb.net/book_sequels_2021.pdf
    • https://static.s123-cdn-static.com/uploads/4427506/normal_5fcfebdc8b82e.pdf
    • http://bamirajewenexo.medianewsonline.com/how_do_i_pay_my_dish_bill_by_phone.pdf
    • https://cdn.sqhk.co/pabelemusib/e9vidtH/artificial_intelligence.pdf
    • http://fesalasan.mygamesonline.org/jekejovalofumufi.pdf
    • https://cdn.sqhk.co/kedilexele/fiijgjs/kigumemuxonexitiwemewag.pdf
    • https://cdn.sqhk.co/lafixafif/iLjeijg/68000252069.pdf
    • https://cdn-cms.f-static.net/uploads/4465012/normal_602bf81b0aebe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://944bcc21-9f45-42c2-9889-8cf837fa5d1c.filesusr.com/ugd/50f869_363833732f02452693b329a08b73ffc4.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b36ec562-3d6f-4e8b-8a07-e4bd94907c43/how_to_unlock_a_lg_k20_cell_phone.pdf
    • https://s3.amazonaws.com/piwanisaj/patricia_polacco_books_the_junkyard_wonders.pdf
    • https://s3.amazonaws.com/sazariwapa/carpentry_workshop_tools.pdf
    • http://pekiluji.atwebpages.com/muputumesem.pdf
    • https://s3.amazonaws.com/ravuxudibure/philips_respironics_system_one_humidifier_light_flashing.pdf
    • https://01d7ec8a-e38e-4e33-8c76-1be31754498b.filesusr.com/ugd/24d943_60d095e66fe248f38be6db69843b13dc.pdf?index=true
    • https://0443db59-9f9d-4031-b786-8a5723798135.filesusr.com/ugd/ab62d6_c3bf67c9e76e43a5af1f372e68328a86.pdf?index=true
    • https://3cd6846c-369c-4875-9c63-132df726a2dd.filesusr.com/ugd/7ab50f_9a011af45070465eb5fd7955b74663cc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d1746d9e-7bad-479e-9446-05614687c4f1/limiguxobixotegujepabi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de89.bin
3908245ca59ad2fbd5822c27cd69cebcdf359c0ce58c86ef7dd8a6834496a19e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE89 3832 bytes
font_01_sfnt_off0000ec52.bin
00bc9c534119667fa5fa3a2fe963bccb56874184ddfebec456e49b086426e1d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC52 5192 bytes
font_02_sfnt_off0000fe29.bin
9478006aa013c85525062a4be11a6b09948e613372b0d1ebba76b58cfa159414		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE29 11612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.