Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7e3fb79a64f893c…

MALICIOUS

PDF

70.2 KB Created: 2021-03-17 00:01:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 47abf2bf3b5d039cbc28f7a925cae19d SHA-1: d325cdbd1059428149a1a05a272a5eb5aa290745 SHA-256: f7e3fb79a64f893cc53345de548ca41fb5af16d6d759172e3a2a770bf4e3489f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document contains embedded URLs, one of which, 'https://soxebez.ru/wix?keyword=van+buren+elementary+janesville+wi', appears to be a lure for phishing or malware distribution. The presence of embedded URLs and the overall detection profile suggest a phishing or social engineering attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=van+buren+elementary+janesville+wi
    • https://cdn.sqhk.co/rorazelesu/miilSdf/hocus_pocus_costumes_adults_walmart.pdf
    • https://cdn.sqhk.co/mevazasid/I4jbjgh/xipovatiwepef.pdf
    • http://buvalopexur.mygamesonline.org/diagnosis_of_bacterial_infections.pdf
    • https://xanikijopido.weebly.com/uploads/1/3/4/7/134738407/mojimojowaraw.pdf
    • https://koxawikala.weebly.com/uploads/1/3/4/6/134643159/soruxuluvozufupit.pdf
    • http://nuwojukow.mygamesonline.org/28934388020.pdf
    • https://cdn.sqhk.co/xadelakora/gdgehfz/39544871967.pdf
    • https://cdn.sqhk.co/xuvuxemoguf/hcDzhax/marisere.pdf
    • https://cdn.sqhk.co/vekuperik/csqTFhe/win_10_launcher_full_apk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/eee1a066-7d3b-4912-a95f-d55d0a977404/atkinson__hilgards_introduction_to_psychology_download.pdf
    • https://1ceef7f3-d523-4f80-a0a4-3aed54d3d17a.filesusr.com/ugd/48841a_572a26432ab742bdacda230526408544.pdf?index=true
    • https://443275ec-395d-4f86-84c9-2ed7a250e117.filesusr.com/ugd/7d471d_8887a119e6784835b7bfc8cccd2e20b9.pdf?index=true
    • http://wudazebej.atwebpages.com/99228930362.pdf
    • https://uploads.strikinglycdn.com/files/7b4202c0-4efc-45e8-a464-e9359f34c7af/lock_picking_set_for_beginners.pdf
    • https://b9a4c3d6-4ccf-4d04-9b0f-c2e9c357e15d.filesusr.com/ugd/e5cbe5_572dcf50170e48edb35d5e127256907f.pdf?index=true
    • https://s3.amazonaws.com/jobavo/benji_bananas_mod_apk_1._37.pdf
    • https://uploads.strikinglycdn.com/files/ab502d94-5943-49c7-8c4b-5c3d77570693/lirigeduzanaporuvuminape.pdf
    • https://s3.amazonaws.com/tarajix/rajezodofunijuvarovoput.pdf
    • https://s3.amazonaws.com/runuzitexokol/best_chess_game_app_free.pdf
    • https://26f2e344-8444-46ea-90c9-5a893bcc2fb3.filesusr.com/ugd/b8c837_ade04b5319bf4c7fa00d2a3150ebee16.pdf?index=true
    • https://uploads.strikinglycdn.com/files/26cfa9ec-7ca2-41f5-be58-3c203b4d8872/the_outsiders_anticipation_guide.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d3c5.bin
242eb5d661839887d400e76767cccd44025c054403e5d744578fb787ded1870f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD3C5 5268 bytes
font_01_sfnt_off0000e5b5.bin
ca866e65659e9a21edd524ae905583ababbed2815a244c23b2cabcc9a3ddca56		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5B5 10620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.