Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbbcf79488f7c6ab…

MALICIOUS

PDF

67.3 KB Created: 2021-02-15 16:03:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b916752a82083355ed2f50e31e2d9d1f SHA-1: 555aabf859b5a7125823c7be0e879555d7e246ca SHA-256: fbbcf79488f7c6ab5751d2de3563290aa2f6719b426522952903bfc0869fb632
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, suggests a lure related to a school schedule, which is a common tactic for phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=creekside+high+school+irvine+bell+schedule
    • http://lakulikelanu.iblogger.org/tecnologia_de_la_informatica_y_las_comunicaciones.pdf
    • http://jetelijunejuk.iblogger.org/equivalent_fractions_worksheet_year_2.pdf
    • http://xonibiz.22web.org/breezingforms_joomla_backend.pdf
    • http://theplafond.xyz/mosekuzidaketuzisawiwigofgkcs.pdf
    • http://nawilojobate.iblogger.org/tadadakox.pdf
    • https://movediwifed.weebly.com/uploads/1/3/2/6/132695881/4f2ca13882f.pdf
    • http://freefire-gifts.com/29822431672e8e7p.pdf
    • https://static.s123-cdn-static.com/uploads/4416502/normal_5fd03b6f6acb9.pdf
    • https://static.s123-cdn-static.com/uploads/4379974/normal_5fc80efe2f85b.pdf
    • https://cdn-cms.f-static.net/uploads/4384301/normal_5fd60d8a20785.pdf
    • http://copyright-security-ig.com/35245824686c4q6j.pdf
    • https://static.s123-cdn-static.com/uploads/4373985/normal_5feb984231a5a.pdf
    • http://laitlabs.pro/34031036574qv285.pdf
    • http://rafidoletusamox.22web.org/cannonball_run_2_movie.pdf
    • https://static.s123-cdn-static.com/uploads/4485005/normal_5feb7ef097f89.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://pikezega.epizy.com/tidufisikewisos.pdf
    • http://pijularof.epizy.com/91742373967.pdf
    • http://sofikej.rf.gd/jusuzevatijen.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc4f.bin
e8168652db85f5cbcb55d9bef99ff557ed33faff0ddb996a59f2454157ae4229		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC4F 5160 bytes
font_01_sfnt_off0000dde0.bin
1e574130acedb6d153cde6249ac04c567f2b880c4f8d1c9957e11c6a9b3827b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDE0 9940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.