Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6cc0ccd702b6392…

MALICIOUS

PDF

91.4 KB Created: 2021-06-26 00:45:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 00f4e52d7d2b5444c50ffa6b23e529cc SHA-1: 420abcba872833d4f7415d86fc0b09692d0d350f SHA-256: f6cc0ccd702b639295b753bf89b53871215dc9d439a3e7692566611969ed3aca
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF that contains multiple embedded URLs pointing to other PDF files hosted on external domains. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. The presence of embedded URLs suggests an attempt to redirect the user to a malicious site or download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9924

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://iphonedown.com/ckfinder/userfiles/files/kisowabakogimupulofef.pdf
    • http://oneself.pro/wp-content/plugins/formcraft/file-upload/server/content/files/1606f958f1a672---wiguwegufitumubefat.pdf
    • https://valserve.in/web/k/main_admin/ckfinder/userfiles/files/zebuxupuxi.pdf
    • http://www.thebetterinsurance.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092f099092e1---64369079240.pdf
    • http://wenxuezj.com/images/File/famudez.pdf
    • http://www.combatsim.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160822b0bbce5a---zepalotelosovemawofugila.pdf
    • https://go2germany.ru/files/file/mexotovurosevevom.pdf
    • http://beautybybelief.com/admin/images/file/lunutagolijusaj.pdf
    • https://urbanplace.me/wp-content/plugins/super-forms/uploads/php/files/25ae236336acd5f1f846342ecf406aa2/76889438483.pdf
    • https://blindnow.com/userfiles/file/11747716143.pdf
    • https://muguet.fr/sites/default/files/file/faxewinipemotatu.pdf
    • https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/4ff4bc273540ec04ceb33975b9e8032f/43355994897.pdf
    • http://nicolalazzarotto.com/userfiles/files/51949707542.pdf
    • https://infypos.com/infyposcms/media/34953585917.pdf
    • http://emmanuelmissionarybaptist.com/clients/74938/File/bunovobajexop.pdf
    • https://flexrocksrollovers.com/wp-content/plugins/super-forms/uploads/php/files/mg7vgk7nu336entius1djbdjeb/rojekokigijiluf.pdf
    • https://prairieroseclothiers.com/FCKeditor/file/65299843745.pdf
    • https://jfefood.com/wp-content/plugins/super-forms/uploads/php/files/fc652b251d328fb650f35c9b3612be1a/junumaxuwenorodixixifu.pdf
    • http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/aa52682fb4bfca5d5bcc8c8c4ab75474/55703022653.pdf
    • https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/16074122940f57---62655199842.pdf
    • https://samudra99.com/contents//files/14947189426.pdf
    • http://rainbowcaterers.in/userfiles/file/fesopabopew.pdf
    • http://dui-antidote.com/images/userfiles/file/gorasigitibi.pdf
    • http://nnrhc.com/clients/9/98/980d61ede38c9a35fe3396fb65651545/File/pejavalefituparo.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=neonatal+compartment+syndrome
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8ac.bin
886769fcffcac4cd7a84ca9fadb939fb38d54f99a4249abb41405f2564fefafd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8AC 10676 bytes
font_01_sfnt_off0001012f.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1012F 16792 bytes
font_02_sfnt_off00011941.bin
4ff2e07db47f8b9f36041448e5d723fd52468617ad2f44c8593e7a37eb08a2c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11941 17112 bytes
font_03_sfnt_off0001459f.bin
cc63eba5949d2b84bc20a5b8686512d91a390356e4b4ec8e675220a42817b1c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1459F 17472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.