Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd6b044683ce2408…

MALICIOUS

PDF

120.5 KB Created: 2021-04-06 08:31:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e8a4adcb6653dca607092954a8c86bd4 SHA-1: d1f9a163ba1002983a5e915cd9bd8ca006e7b0f7 SHA-256: fd6b044683ce240880161c6b60988e079b78c305def161a45f11748193a7ffeb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a domain associated with malicious activity, likely to deliver a secondary payload or phish for credentials. The document body, though heavily obfuscated, appears to reference 'B. sc part 1 chemistry notes pdf', suggesting a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9963

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/award?keyword=b.+sc+part+1+chemistry+notes+pdf
    • http://manovina.mypressonline.com/el_marques_de_sade_pelicula_completa.pdf
    • https://static.s123-cdn-static.com/uploads/4480758/normal_5ff2587fe6c96.pdf
    • http://pagavopalubutu.scienceontheweb.net/43047684235.pdf
    • http://vofufime.mypressonline.com/54134223590.pdf
    • https://cdn-cms.f-static.net/uploads/4447271/normal_602e1bfd724f4.pdf
    • https://cdn-cms.f-static.net/uploads/4480889/normal_60535f78663be.pdf
    • https://cdn-cms.f-static.net/uploads/4472488/normal_5fe938c638187.pdf
    • http://pewujok.mypressonline.com/counting_chart_numbers_1_to_1000.pdf
    • http://rawiduti.medianewsonline.com/79925635982.pdf
    • https://static.s123-cdn-static.com/uploads/4459645/normal_5fdff83b84430.pdf
    • https://cdn-cms.f-static.net/uploads/4383137/normal_5fdab764f1b10.pdf
    • http://rozujed.sportsontheweb.net/zodidusoxofegi.pdf
    • https://cdn-cms.f-static.net/uploads/4468553/normal_604e9ae951429.pdf
    • http://fojefojegut.medianewsonline.com/rapepumaragokuzaz.pdf
    • https://cdn-cms.f-static.net/uploads/4417025/normal_602b7b9b17eb9.pdf
    • https://cdn-cms.f-static.net/uploads/4464529/normal_6069e564a7896.pdf
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://ledufowi.myartsonline.com/alimentacion_y_nutricion_en_mexico.pdf
    • http://naranosufok.atwebpages.com/gasebit.pdf
    • https://uploads.strikinglycdn.com/files/eb6ef09f-ac7d-4d33-90f2-0d5cba9ca776/words_that_start_with_n_to_describe_someone.pdf
    • http://furafep.onlinewebshop.net/the_ultimate_guide_to_landing_page_optimization.pdf
    • https://s3.amazonaws.com/rirusozo/98502897866.pdf
    • https://s3.amazonaws.com/gozifep/fusionner_plusieurs_gratuit.pdf
    • https://s3.amazonaws.com/vuliwisuwig/39523192822.pdf
    • https://uploads.strikinglycdn.com/files/708acc71-37ec-4f03-9160-d59f44b8c63a/tiresul.pdf
    • https://s3.amazonaws.com/wexukufedepim/tugugavufefuvekawurer.pdf
    • https://uploads.strikinglycdn.com/files/55050909-678e-48b7-a6c6-f07270e68c62/delta_scroll_saw_40-560_blades.pdf
    • https://uploads.strikinglycdn.com/files/a201150a-fbc2-47e6-9ec8-a08a33be9c4b/kapozidetofizabe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001765f.bin
96b01d3b933b66b91462f268ec91aea237476bbafad1b018efff246edd41e554		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1765F 7112 bytes
font_01_sfnt_off00018ad7.bin
f55982508d59c8eb1f8474842f84325ecb0ec1109affeda6d717c90c0cb9d023		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18AD7 5600 bytes
font_02_sfnt_off00019dca.bin
35c0a746fcdf55e64f2ba55209f6a139fa5d4ea47dce36c63c78d1e6d66b29b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19DCA 3204 bytes
font_03_sfnt_off0001aac3.bin
0fbd95e7c08a9c7d6addeaff3ea3cd20ec036f652dc468088a735c3381b992ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AAC3 11936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.