Malicious PDF — malware analysis report

Static analysis result for SHA-256 fef9c96492135619…

MALICIOUS

PDF

77.5 KB Created: 2021-03-19 17:35:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a4a13f4a1e63ca84063785cc58b4fcf7 SHA-1: 2177d63d79b992f3cb91b6014b80100099816baf SHA-256: fef9c96492135619c0697ab5d18d33cceeea40ba966ee282f75d0c13e4d66a81
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that appears to be a lure, directing users to a site that likely hosts further malicious content or exploits. The document body, though heavily obfuscated, contains text related to the embedded URL's keyword, reinforcing the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=callan+method+stage+4+pdf+sk
    • https://cdn.sqhk.co/jupujezaxa/hfui4El/castlesteads_farms_ltd.pdf
    • http://nitiwopororotef.mypressonline.com/tica_para_amador_resumen_captulo_1_al_6_preguntas_y_respuestas.pdf
    • http://fukerijinexin.mygamesonline.org/vortech_mp40_wet_side_assembly.pdf
    • https://cdn.sqhk.co/kusonemap/gjJUjcP/jivabo.pdf
    • http://mosebuzixat.mywebcommunity.org/mesitudasizodadivajibezu.pdf
    • http://fagumawegoleleb.mypressonline.com/90813315372.pdf
    • https://tuxaxigete.weebly.com/uploads/1/3/5/3/135324810/saxikeko_velisu.pdf
    • http://tafakiduwav.scienceontheweb.net/hernia_abdominal_en_gatos.pdf
    • http://faripofijukevom.mywebcommunity.org/engineering_applications_of_artificial_intelligence.pdf
    • http://xevamoz.mygamesonline.org/arthritis_diet.pdf
    • https://cdn.sqhk.co/tobijoge/gij62de/fobovivobenemesi.pdf
    • http://sigixexizo.sportsontheweb.net/clinical_anatomy_of_the_eye_free_download.pdf
    • http://vixitatevejiwo.getenjoyment.net/taxoj.pdf
    • https://sopuduzebuvagaf.weebly.com/uploads/1/3/0/7/130775825/1722402.pdf
    • https://cdn.sqhk.co/bitizulokiva/Cbhgih3/3554633073.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://550dfcec-0280-4316-a0d5-68b74a7a20b9.filesusr.com/ugd/f59309_a4483763bf1d4435ad1321bb11b868fc.pdf?index=true
    • https://3e1af3dc-cf37-4f58-935d-0a6065bc5ce9.filesusr.com/ugd/3ca236_2c4163dc4517448198fcf02ce51875e8.pdf?index=true
    • https://8d67285a-e3c5-4820-bb1a-bb91ce1079a6.filesusr.com/ugd/d54300_eb99046ea2ea41eca0ea6d5e4e32ea54.pdf?index=true
    • http://sipanokule.onlinewebshop.net/36523620504.pdf
    • https://0ed30ddb-3df1-4505-9e4e-3e87fc6d20ea.filesusr.com/ugd/f043c1_282fd81f62c6458dbdb14eeba7ed1c5b.pdf?index=true
    • https://30621b86-6952-4b41-80af-4d24d830bc7c.filesusr.com/ugd/122077_0368fe37eb8d40f6bbab2cff2d3a746d.pdf?index=true
    • http://dupumimegijema.epizy.com/alison_roman_chicken_sheet_pan.pdf
    • http://natomig.rf.gd/sharp_android_tv_app_store.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e522.bin
7974e7421d8dc8f46bea60b1de94aad3953092d88a207313a991432a89d5270f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE522 5416 bytes
font_01_sfnt_off0000f773.bin
0d4351d844c81be1e17578aadca6593f52afa3a579b87e76f347fbacc8cd5891		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF773 15900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.