Malicious PDF — malware analysis report

Static analysis result for SHA-256 fcfab4b57b9f7e95…

MALICIOUS

PDF

86.6 KB Created: 2021-06-29 00:23:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 17ed1b34066bffd2e9ee95ca03287ea1 SHA-1: d38d7f02d0473c3e7b09eb977ecf0fc67440f931 SHA-256: fcfab4b57b9f7e95bd86a3f036143d19f1405d084be9ea7a50ca65cc8e1bc8be
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, specifically pointing to PDF files hosted on various domains, suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a common attack pattern for delivering malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://micast.de/wp-content/plugins/super-forms/uploads/php/files/2jsjiaep547r0vaucclemvh177/pujamen.pdf
    • http://galluccifaibano.com/userfiles/file/2912331233.pdf
    • http://www.empresasdelimpeza.info/wp-content/plugins/formcraft/file-upload/server/content/files/1607a482bf2ef3---zolegasuxivu.pdf
    • https://bodwellassociates.com/wp-content/plugins/super-forms/uploads/php/files/a20d622d3acaa467ac0245d759115474/nexiruwodinog.pdf
    • http://apcmagon.com/userfiles/68680999765.pdf
    • http://almar-bus.pl/userfiles/file/pekukak.pdf
    • https://apexforestservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086afa5de5b2---92291058589.pdf
    • http://truthtube.com/UserFiles/file/mowujubaf.pdf
    • http://plenaadoracao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160774eccc5cb2---18734979853.pdf
    • http://isagenixmakessense.com/ckfinder/userfiles/files/razugebeweza.pdf
    • https://3dreamvr.com/wp-content/plugins/super-forms/uploads/php/files/4b4803631339a4dfb13355c13573d74c/5061861677.pdf
    • https://www.napariverinn.com/wp-content/plugins/super-forms/uploads/php/files/65f1333a0ef2e19caec5c635b2ce46cd/nepitugugawex.pdf
    • http://www.brennholz-heinlein.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607afb1107acb---38113726407.pdf
    • http://aaykpn.com/uploads/editor/files/94369971568.pdf
    • https://malimbe.africa/wp-content/plugins/super-forms/uploads/php/files/d5bcfb4546ffa6b043dd3c718d4af572/2608839776.pdf
    • http://mujuerp.com/uploads/ckeditor/files/20210628152815.pdf
    • http://vincityhomes.vn/wp-content/plugins/super-forms/uploads/php/files/95fhi86g4hc6u0jclusaeeutg8/gazitetodixavatig.pdf
    • http://ziepniekkalns.lv/wp-content/plugins/formcraft/file-upload/server/content/files/160adc68197b8d---kosolediboke.pdf
    • http://puzynowska-kancelaria.com/userfiles/file/pipilexe.pdf
    • http://www.ncstarim.com.tr/wp-content/plugins/super-forms/uploads/php/files/9boskn58remmpkfefia069tho1/fofapawapijavi.pdf
    • https://baohohoanglong.com/userfiles/file/kirasadafabuxina.pdf
    • http://finsura-lifedirect.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1606d49a2acd5b---5977762301.pdf
    • http://bigpictureresources.com/userfilesbigpicture/file/jazujopel.pdf
    • https://pensiuneavalentina.ro/app/webroot/file/86217851984.pdf
    • https://www.drserapkagan.com/wp-content/plugins/super-forms/uploads/php/files/s7i0g9itpb2o4lm9u1rk0omkvf/98004583745.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=synagogue+of+tomar
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec2d.bin
bf19ec743c3a141bba34e177669c2b8c1ab5abfac3dbab1afaab81c00ef45b5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC2D 19708 bytes
font_01_sfnt_off00011d14.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D14 16792 bytes
font_02_sfnt_off0001352b.bin
d159797ac62e5d414b5dbd9f32b81a3918176569de8f91f1b7e2a4e290bf169b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1352B 10540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.