Malicious PDF — malware analysis report

Static analysis result for SHA-256 fed932f5050994a0…

MALICIOUS

PDF

79.2 KB Created: 2021-03-21 07:46:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83f06f3c410c0e57276b73cd3aa14c9d SHA-1: 7b1095f59840091b3cf085921f7320f751527479 SHA-256: fed932f5050994a08eb3b928b65a0699efa3acd57c9cc5b3e344652d1fa0d649
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF as malicious with high confidence. The document body, though heavily obfuscated, appears to contain product-related text, suggesting a lure to trick users into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=barska+compact+keypad+depository+safe
    • https://wanibezitajijo.weebly.com/uploads/1/3/6/0/136000154/78879ee451a5b.pdf
    • http://duvejajenivogik.getenjoyment.net/fipawiduxamumizaruvovuj.pdf
    • http://fagilef.getenjoyment.net/79530576450.pdf
    • https://cdn.sqhk.co/letarezetap/CtjdgtM/fast_money_halftime_report_cnbc_fix.pdf
    • http://ritixibetono.mygamesonline.org/algorithms_sanjoy_dasgupta_solutions_manual.pdf
    • https://cdn.sqhk.co/fagaxirupunu/ier3jgm/bulejirokirolele.pdf
    • http://ritefajitexu.scienceontheweb.net/multiplying_algebraic_terms_worksheet.pdf
    • https://cdn.sqhk.co/laruxibut/djhHjfm/60530534982.pdf
    • https://logesili.weebly.com/uploads/1/3/5/3/135389335/b090e2b96a.pdf
    • http://kevakigev.medianewsonline.com/administracion_publica_guatemala.pdf
    • https://nimawotamuxagop.weebly.com/uploads/1/3/1/6/131606149/wijejufi.pdf
    • https://nililekekikare.weebly.com/uploads/1/3/0/7/130739967/linimiwegipel_sufaralo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/pujinit/muqabla_bohemia_song_mp4.pdf
    • https://s3.amazonaws.com/baxegezivumi/pivurozukasematidelula.pdf
    • https://s3.amazonaws.com/fajujiju/epson_xp-400_ink.pdf
    • https://uploads.strikinglycdn.com/files/a5c039f0-93f4-4ed2-898d-f34d2bd26a5c/who_is_tony_in_season_3_of_the_crown.pdf
    • https://uploads.strikinglycdn.com/files/0e2d1de0-099c-47ab-be95-65be8f0cb754/truyn_kiu_ch_nm.pdf
    • https://s3.amazonaws.com/gofiguj/complications_atul_gawande_vk.pdf
    • https://uploads.strikinglycdn.com/files/03cb2e7f-8087-40d7-bd9f-b327413eb220/fibezudaxebikarar.pdf
    • https://s3.amazonaws.com/penale/clean_master_pro_apk_2018.pdf
    • https://uploads.strikinglycdn.com/files/fed67da9-b040-403c-8f46-60f38592f278/xuwonupezutitudosilagor.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ded0.bin
e0826ed0e24bf096dbc4b55f4b1a977076d0a02e142f6ed5b66e1bba9d315cde		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDED0 5484 bytes
font_01_sfnt_off0000f174.bin
27120108a1a3a244dd2c9982c99dcc59b3c2e8c911e844b87afb18aa67089a32		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF174 12372 bytes
font_02_sfnt_off00011a50.bin
ceb30e69b2a1d6501fe8904d8a8466471eaa529f0958da5583c6585f97c9fab1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A50 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.