Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8dd08b316fe9456…

MALICIOUS

PDF

77.9 KB Created: 2021-06-05 16:54:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4905b987fd5d1d4a302c73ca0415d1ea SHA-1: 1f046f7b46469b87a97b41c865a571f39550f222 SHA-256: f8dd08b316fe9456478a247eb6a7c39ff5c1720331916f3d765722bc7c437e62
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'irlanc.ru', which is likely a phishing or malware distribution site. The document body, though heavily obfuscated, suggests a lure related to 'Star Wars' to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/pbw?utm_term=star+wars+new+essential+guide+to+droids
    • https://static.s123-cdn-static.com/uploads/4380229/normal_5ff9d7912e9db.pdf
    • https://korodaziso.weebly.com/uploads/1/3/0/7/130740443/nurunitunufoxaluw.pdf
    • https://vixamimi.weebly.com/uploads/1/3/4/6/134684805/14aeb.pdf
    • https://static.s123-cdn-static.com/uploads/4453740/normal_5ffbc88e9e70f.pdf
    • https://namewedopuso.weebly.com/uploads/1/3/4/5/134583017/doneg-lebiged.pdf
    • https://cdn-cms.f-static.net/uploads/4476275/normal_606dfa88a7bf1.pdf
    • https://cdn-cms.f-static.net/uploads/4393359/normal_605978b24ed8e.pdf
    • https://tekovidekugowi.weebly.com/uploads/1/3/5/3/135315876/xilivixet.pdf
    • https://siwevobone.weebly.com/uploads/1/3/5/3/135317475/tufapamawamegap.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://najapenoz.pbworks.com/w/file/fetch/144571197/bedubarogileg.pdf
    • https://uploads.strikinglycdn.com/files/99380d40-900f-40a0-a8ec-ed47b7944558/78064898587.pdf
    • http://mizunebapod.pbworks.com/w/file/fetch/144466500/how_do_fraction_strips_help.pdf
    • https://uploads.strikinglycdn.com/files/33bef052-923b-4b43-b8a0-2f644f756b3f/swann_camera_replacement_cable.pdf
    • https://uploads.strikinglycdn.com/files/679c5560-f481-4374-907c-8af75e146732/punctuated_equilibrium_definition_in_own_words.pdf
    • https://uploads.strikinglycdn.com/files/04e5db84-0a19-455d-a255-8eccf5afde9b/kenneth_grant_nightside_of_eden.pdf
    • http://bovozajezo.pbworks.com/w/file/fetch/144473583/dinudoregu.pdf
    • https://uploads.strikinglycdn.com/files/d5c9a7cb-d631-4408-9c48-eed63fc26e94/alita_battle_angel_3_full_movie_download_in_tamil.pdf
    • https://uploads.strikinglycdn.com/files/93e036d6-9419-480c-b7b6-f30236f78927/xubodisenaxizigedevewo.pdf
    • http://jajisaparev.pbworks.com/w/file/fetch/144421041/25906675512.pdf
    • http://rerikisozid.pbworks.com/f/dork_diaries_13_read_online_free_full_book.pdf
    • https://uploads.strikinglycdn.com/files/dfd4456c-08f1-4dc1-ad6a-c7525a9d68aa/65406748365.pdf
    • http://kafunujazuwo.pbworks.com/w/file/fetch/144526881/how_do_i_reset_my_fisher_paykel_refrigerator_filter.pdf
    • http://disisopaz.pbworks.com/w/file/fetch/144657981/29810148772.pdf
    • http://ronefete.pbworks.com/f/process_flow_diagram_of_sewage_treatment_plant.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f47f.bin
e9c80c3bac16169dfcc6b69823a65ba98b04e47f93e9969193910c1b1e2a7e6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF47F 5188 bytes
font_01_sfnt_off0001063c.bin
a9bbb6c0b23395eb257daabaff196af56c4fa765d2e73c36295ac3dfa3d5f925		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1063C 10740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.