Malicious PDF — malware analysis report

Static analysis result for SHA-256 faee70d20906c65c…

MALICIOUS

PDF

85.5 KB Created: 2021-07-24 00:10:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: f451c210bba0c4dd3ed8ca353ceb2337 SHA-1: bab50ba8df284cd569eaa078619c2de1f4179740 SHA-256: faee70d20906c65cba3b94f100ba8f44e8102af912c5e811cc6e20762bf3a026
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document identified as malicious by ClamAV and an ML classifier. It contains an embedded URL pointing to 'laborke.ru', which is likely used to deliver a malicious payload or conduct phishing. Although no scripts were explicitly extracted, the PDF structure and the presence of an external URI suggest an attempt to redirect the user to a malicious site, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/square?utm_term=best+jumpshot+in+2k19+for+shot+creating+sharpshooter
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f4593904a1d97017a58bf7/1626626361636/l10_bearing_life_definition.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ee4af66d75c50a5d44ae23/1626229495156/gutobivageleziri.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8f40fe6a58043b68f8baa/1625879567696/57387139335.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f355c38c10a93e504db130/1626559939271/5986986221.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f345e64f27972c60402777/1626555878599/pexumudaxodumidonunoduse.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f0d3e70a71fd0da9a8fc15/1626395623859/drowsiness_in_diabetic_patients.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f77808c92ef868b91fd08e/1626830856993/bavopediwikaz.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60edc75f8443ee2c892d6d42/1626195807406/shattergang_brothers_edh.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e79b0838ed220952a9bfcd/1625791240630/45407856352.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e95016563c1506a8b792eb/1625903126317/pain_years_after_c_section.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f1fe8668d14b0c9c2c4a54/1626472070154/food_to_settle_an_upset_stomach.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e8e28637da2614570aa21e/1625875078464/woverugupefotixaref.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ee053f2e8a4a2aca7e546b/1626211647253/98195525282.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f203632516006cc69256e0/1626473315449/gin_gin_to_gympie.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60fb2e3b396c205948a39666/1627074107480/duwol.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e7ff661c6ee137fa124eb7/1625816934725/40250154503.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60e8b81ab8aa5f4df1b1d2b5/1625864218492/18652305485.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f9fcfb62df5e14861fad6d/1626995963587/scale_with_4_sharps.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60efd1ab0511021e70b37c5c/1626329515159/razovoxuretowisadebud.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f625fe49ed543a17d77333/1626744318891/ovary_pain_after_ovulation.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f601f41ab85d2acb1bb97b/1626735092557/studying_engineering_4th_edition_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e5d8.bin
c161c0e427bd905b4e39b34743afdc55c0dab75d188f6fb8159dd150815d6ed8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE5D8 11596 bytes
font_01_sfnt_off0001015e.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1015E 16792 bytes
font_02_sfnt_off00011970.bin
3ec33069e40d73fa4347097da85bdf1385772c08da3d7a5651f6badf0178a938		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11970 16748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.