Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb5741398bd5baa5…

MALICIOUS

PDF

90.4 KB Created: 2021-03-16 06:50:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 128da0203f7c10b70c6d31366bad2535 SHA-1: 580ac7c6156893b116986e623ea2700cf41089c2 SHA-256: fb5741398bd5baa57da738f003f64991a96153fdf5700da99d1f64f59cad6c5c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a URL that appears to be a lure for a 'red dead redemption 2 online money glitch fish'. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. While no scripts were explicitly extracted, the PDF_URI heuristic suggests the document is designed to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9925

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/wix?keyword=red+dead+redemption+2+online+money+glitch+fish
    • http://pozuvixa.getenjoyment.net/house_on_mango_street_book.pdf
    • http://nipawifaxupus.mygamesonline.org/where_did_book_of_enoch_come_from.pdf
    • https://cdn-cms.f-static.net/uploads/4423452/normal_6029217de201b.pdf
    • http://vutunema.mypressonline.com/cdf_vs_calculator.pdf
    • http://majikok.mygamesonline.org/91717595442.pdf
    • https://cdn.sqhk.co/xunixenovapi/ib4iiat/dna_structure_and_replication_study_guide.pdf
    • http://bexukavinawexov.mygamesonline.org/bringing_them_home_report.pdf
    • https://cdn-cms.f-static.net/uploads/4454811/normal_604e3ac64d095.pdf
    • https://cdn-cms.f-static.net/uploads/4428329/normal_601975a9ba429.pdf
    • https://cdn.sqhk.co/goworonol/gHgiuhd/cross_roads_isd_football_schedule.pdf
    • https://cdn.sqhk.co/fagaxirupunu/5icExgf/weekend_getaways_from_nyc_by_train.pdf
    • https://static.s123-cdn-static.com/uploads/4415769/normal_5fddb14b23a37.pdf
    • https://cdn.sqhk.co/tumokufagu/TXjfji1/cw_shows_on_netflix_canada.pdf
    • https://cdn.sqhk.co/xupebasolaw/gejfiqn/saforojif.pdf
    • https://cdn-cms.f-static.net/uploads/4495841/normal_600f81b21c064.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/06398ae4-bade-4866-860e-73a4eec1deda/lego_gun_instructions_step_by_step.pdf
    • https://aa3bb5c3-2bd4-4791-9e2a-6e31d5009b04.filesusr.com/ugd/60e703_0756745316ea4e19ae813e6c2c32fcee.pdf?index=true
    • https://3e206333-d6ff-4be5-a246-6289f7259d3b.filesusr.com/ugd/973a7d_2e680b2463444cf0ab423390686652c9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/116221d0-fc61-470c-b50c-0d5a3b19319d/5620703165.pdf
    • https://fb7bf4c5-056f-4058-a7d1-073478569b53.filesusr.com/ugd/d90490_934e9caadb6c42c097b4b130c6460608.pdf?index=true
    • http://pazepoxi.atwebpages.com/72800194303.pdf
    • http://kufekisawisewo.onlinewebshop.net/cetonas_en_orina_en_embarazo.pdf
    • https://2dc0326d-ac60-47d8-bf46-f2dc9d334570.filesusr.com/ugd/21b4a7_44a85a551860495b8a6ae1dfba67cb32.pdf?index=true
    • http://sufixis.myartsonline.com/jazaranuselivuziv.pdf
    • http://fugufaza.myartsonline.com/84614748329.pdf
    • https://uploads.strikinglycdn.com/files/ad6080fb-f314-4854-8713-35101e8e88f7/is_the_book_of_mormon_suitable_for_12_year_old.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fbce.bin
c9cdc196331707e8e01c5e5a9f1eb3a45a230c2e76dfd8cd82e9db3ab100600c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBCE 5596 bytes
font_01_sfnt_off00010eb9.bin
b0dfb74cdc5438d1b33469a234af11677939834be63cb40a91968e3acd142bf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EB9 11180 bytes
font_02_sfnt_off0001355a.bin
5b77997bb92b67e00e2e0c6f46edfd4f3dd8b73c87b3d9a97663791162bdd12b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1355A 17320 bytes
font_03_sfnt_off00014cff.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14CFF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.