Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd50093c1dcfc6af…

MALICIOUS

PDF

74.7 KB Created: 2021-03-25 16:57:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8531497a3ef51bce4d8e183d0dd3408 SHA-1: e6f2e6c50509d34a90c14332744fbc19b31a62f3 SHA-256: fd50093c1dcfc6af20fbd38f98d257871f5e64a806c18c852f32c78860201b15
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, indicating a high likelihood of malicious intent. The presence of embedded URLs, specifically 'https://vilenefex.ru/123?utm_term=obituary+format+uk', suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of common phishing lures, often employing social engineering tactics like fake obituary formats to trick users into clicking malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/123?utm_term=obituary+format+uk
    • https://cdn.sqhk.co/suxujaba/qAjbheR/9481762859.pdf
    • https://cdn.sqhk.co/zesonixiv/gfjdieG/12284690662.pdf
    • http://rorasilozaput.22web.org/sejarah_amandemen.pdf
    • http://leririv.sportsontheweb.net/captain_marvel_2020.pdf
    • http://funanomofov.22web.org/apartment_1303_3d_full_movie_free.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/fodose/movubukidiwilasuzipunip.pdf
    • http://jikusawiv.rf.gd/nodezu.pdf
    • http://noporotosodapo.epizy.com/appdata_roaming_microsoft_templates_normalemail._dotm.pdf
    • http://gunexukod.epizy.com/digital_integrated_circuits_google_books.pdf
    • https://s3.amazonaws.com/tikoweravisixu/p3_international_p4460_kill_a_watt_ez.pdf
    • http://piwakitidi.onlinewebshop.net/wuvazarevijaselinaxeraba.pdf
    • http://rosodojilu.rf.gd/how_do_adults_get_assessed_for_adhd.pdf
    • https://s3.amazonaws.com/vitelitubovuluj/42120755792.pdf
    • https://s3.amazonaws.com/nafamaragisek/what_is_a_metaphor_and_example.pdf
    • http://tapewiwesumufug.epizy.com/648292944.pdf
    • https://s3.amazonaws.com/ritoma/drdo_ceptam_notification_2019.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e78c.bin
3b24385cf4ed66728eb43e85c2289df6e1d526b2802d9caff49924880b028cf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE78C 5036 bytes
font_01_sfnt_off0000f8a1.bin
4e55ed7dbd092a3c391f287f668a49a119927e7d13e06664432d8251c1555fb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8A1 11212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.