Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5e7f051f4439d52…

MALICIOUS

PDF

395.8 KB Created: 2022-06-07 16:51:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2022-07-15
MD5: b336eca3db441cd64cff389c2f7bd420 SHA-1: cfd44e6657a5847779a53983284ece93c9ca710c SHA-256: f5e7f051f4439d529404e3beae2da7e8cc2200b4d3c890e5d2f4e5a3acd1590c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF containing numerous embedded URLs, one of which is highlighted as an external URI. ClamAV detection and ML classification indicate malicious content, specifically identified as Pdf.Phishing.Trojan. The presence of many similar URLs suggests a phishing campaign or a distribution point for further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6448

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lazav.co.za/XSRYdR1H?utm_term=guitar+pro+tutorial+pdf+files+download
    • http://drivescuolaguida.it/userfiles/files/54811807827.pdf
    • http://retete.pentrugatit.ro/userfiles/file/lawiguro.pdf
    • https://kop-trans.pl/uploads/userfiles/files/salevudidibasa.pdf
    • http://xn--80adic7alej3d.xn--p1ai/userfiles/file/jegopevikukinara.pdf
    • http://ahtirka.topmebli.com/content/xuploadimages/file/28820832442.pdf
    • http://iccarrentals.com/files/file/rixaxorokedoka.pdf
    • http://ilyxrace.com/userfiles/files/raduposurolubakubiwaj.pdf
    • https://ballestermultiservicios.com/wp-content/plugins/formcraft/file-upload/server/content/files/1622350843f17d---23470712553.pdf
    • http://lnimeina.it/userfiles/files/jawejunagomozatuveba.pdf
    • http://elmbys.se/kcfinder/upload/files/fofubediwarirezeziduxa.pdf
    • https://worunebifekeli.weebly.com/uploads/1/4/1/6/141688550/jojigazi_xozemezukuxus_texasujakos_dexiragenef.pdf
    • https://dunowipa.weebly.com/uploads/1/4/1/8/141834080/xadugep.pdf
    • https://fopilifufisi.weebly.com/uploads/1/3/6/0/136055159/95ea8a7.pdf
    • http://idealhca.com/admin/images/file/40540045201.pdf
    • http://2016.letnifestiwal.pl/ckfinder/userfiles/files/pujomofenivesavugogunezu.pdf
    • https://kolorubursztynu.kolorubursztynu.pl/web/uploads/files/nesabatabivakebapajazi.pdf
    • https://weziriditovi.weebly.com/uploads/1/3/4/1/134108838/5136996.pdf
    • https://ponutafozo.weebly.com/uploads/1/3/4/7/134705240/beroneliradim.pdf
    • https://ropiwuniku.weebly.com/uploads/1/4/1/8/141875709/pozijavajorodofen.pdf
    • https://xunowivoratidom.weebly.com/uploads/1/3/1/6/131636824/gozedaperomon_saxolokarum_povixoduxi_pisili.pdf
    • https://dcmheavyequipment.com/admin/images/file/sabapatugipomugu.pdf
    • http://asu78.ru/userfiles/file/58555815206.pdf
    • https://tujuwofaxeg.weebly.com/uploads/1/3/2/8/132814826/2984148.pdf
    • https://jomigotub.weebly.com/uploads/1/3/4/7/134748998/2757025.pdf
    • https://tozilamuvopodes.weebly.com/uploads/1/3/5/9/135966944/digasedid_komane_tewedomesal.pdf
    • https://xozipirun.weebly.com/uploads/1/3/5/3/135324749/minaxodi_foteru.pdf
    • http://feg.vn/uploads/files/19986581383.pdf
    • https://itracmediav5.com/ckfinder/userfiles/files/jafufulapasewew.pdf
    • http://www.ww.radeton.sk/ckfinder/userfiles/files/73921437424.pdf
    • https://gufunemoxopu.weebly.com/uploads/1/3/7/5/137507416/5dfab3e53ec4.pdf
    • https://bk.elbasyacademy.kz/vendor/admin/kcfinder/upload/files/31314213847.pdf
    • https://kepogopinojolar.weebly.com/uploads/1/4/1/3/141390308/c930fd.pdf
    • https://desertflying.club/wp-content/plugins/formcraft/file-upload/server/content/files/162549d051c424---waxaxezubejuzusiviriki.pdf
    • http://cpgny.com/userfiles/files/nodexeleto.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005b756.bin
ebd39c36987fd7ca0dbb975547ed193860aa4b84b4e83848a0be5392cae1aaf9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B756 10716 bytes
font_01_sfnt_off0005d025.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D025 16792 bytes
font_02_sfnt_off0005e837.bin
6272ea7448ef3768c6d2ef53759954431a815b638d415e4bdc5f58c2c3db0817		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E837 20176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.