Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe83e01e71418e27…

MALICIOUS

PDF

84.1 KB Created: 2021-06-08 20:54:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 769a126a35179a3a1a99d395bab9e22b SHA-1: af69cbfcc18d2973e130d8e22c0fdec9d65194b3 SHA-256: fe83e01e71418e27c4a9719b2ff9cc0f276b1850040c6164338c6c7b4a7344c8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://irlanc.ru/pbw?utm_term=slope+intercept+form+from+points', which is a strong indicator of a phishing or malware distribution attempt. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of the malicious URL and the detection signatures strongly suggest a phishing or malicious content delivery pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/pbw?utm_term=slope+intercept+form+from+points
    • https://cdn-cms.f-static.net/uploads/4425515/normal_60450c588b618.pdf
    • https://static.s123-cdn-static.com/uploads/4380210/normal_5ff28533c18ab.pdf
    • https://cdn-cms.f-static.net/uploads/4415964/normal_6033e0c2f3546.pdf
    • https://cdn-cms.f-static.net/uploads/4448110/normal_605986fad2eb9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://jasiduvegulu.pbworks.com/f/23663139946.pdf
    • https://uploads.strikinglycdn.com/files/8fa42e49-8816-41b9-bb66-2bda1354e589/duxozowafefugemokegedi.pdf
    • http://pefumugat.pbworks.com/w/file/fetch/144685215/how_to_get_followers_on_instagram_fast_app.pdf
    • http://lomexalipele.pbworks.com/f/adductor_strain_rehab_protocol.pdf
    • https://uploads.strikinglycdn.com/files/77b82919-50a2-4ca0-a15a-c0399ab27563/batman_dark_knight_returns_online_latino.pdf
    • http://xoxafepapesu.pbworks.com/f/20571642886.pdf
    • https://uploads.strikinglycdn.com/files/f351cd05-f465-45f9-b396-fa916a019b7a/is_simply_piano_a_free_app.pdf
    • http://biribivit.pbworks.com/f/how_to_start_a_richmond_water_heater.pdf
    • http://fuzobonesujo.pbworks.com/f/ap_chemistry_hesss_law_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/0186fad2-b4e2-481e-b6ee-5f7997b6c813/how_do_you_play_safeway_in_monopoly_2020.pdf
    • https://uploads.strikinglycdn.com/files/044ed5b0-2eef-4167-844e-54acb10ae2c8/41464796114.pdf
    • https://uploads.strikinglycdn.com/files/06d99e34-4b25-46df-82ea-6c9b1853dca4/how_to_install_ice_maker_on_frigidaire_refrigerator.pdf
    • http://vevokofeju.pbworks.com/f/criminal_britney_spears_song_ringtone_download.pdf
    • https://uploads.strikinglycdn.com/files/521c276d-b44a-4092-9198-aa887991bc4d/22285450228.pdf
    • http://kalozewura.pbworks.com/w/file/fetch/144789843/how_do_i_get_a_centurylink_email_address.pdf
    • http://kuzimotum.pbworks.com/w/file/fetch/144822864/mera_bhola_hai_bhandari_mp3_song_download_pagalworld_320kbps.pdf
    • https://uploads.strikinglycdn.com/files/06d4ef89-6dbf-4580-b6c5-6c754afafade/puwulasuzuzimu.pdf
    • https://uploads.strikinglycdn.com/files/1b03f6a1-13e6-4217-9b48-be266f4c7120/constelaes_familiares_o_reconhecimento_das_ordens_do_amor.pdf
    • https://uploads.strikinglycdn.com/files/3b346aa6-9a08-4264-ae32-e8a365525e3c/wheres_waldo_books.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc2a.bin
a0c9525f40b65a9804791fc621a785e983ae4d12dc039766ed5948381cb1fb3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC2A 4840 bytes
font_01_sfnt_off00010c76.bin
41d0e0d06f54a30f507820a28b00980f9d49d0d58526b3d859d5ee696ae83d9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C76 11872 bytes
font_02_sfnt_off000134b7.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134B7 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.