Malicious PDF — malware analysis report

Static analysis result for SHA-256 043913a6729dc731…

MALICIOUS

PDF

79.2 KB Created: 2021-03-12 14:44:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 18732c1344afcad8ee48484703f6d4d4 SHA-1: e184355512cd967028184c3de9f964d4a58749ed SHA-256: 043913a6729dc731f31f37111b69a0a918e1e1d279b05b6f4f168f0a0bfed098
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL points to a site offering 'archero mod apk unlimited gem', suggesting a lure for users seeking modified applications, which often leads to malware. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest it's designed to redirect the user to a malicious download site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=archero+mod+apk+unlimited+gem
    • https://cdn-cms.f-static.net/uploads/4417222/normal_601af9bf39545.pdf
    • http://accueilcmb.com/rowenta_garment_steamer_gs6010_manualhs3xi.pdf
    • http://yachts-4-sale.com/snapper_mowers_zero_turnic0hp.pdf
    • http://disconto50.pro/64607384281hht85.pdf
    • https://static.s123-cdn-static.com/uploads/4468294/normal_5fe2eb1724e21.pdf
    • https://static.s123-cdn-static.com/uploads/4451574/normal_5fcd43d76e8cf.pdf
    • https://cdn-cms.f-static.net/uploads/4408172/normal_603d90529d764.pdf
    • http://atomyimperial.ru/ariens_8526_parts_manual3hqwu.pdf
    • http://thecaffeinatedstudent.com/madden_mobile_21_hack_no_human_verification_or_survey_or_downloadflqhc.pdf
    • https://static.s123-cdn-static.com/uploads/4449774/normal_5ff033967ec3d.pdf
    • https://cdn-cms.f-static.net/uploads/4500429/normal_602476b5aad01.pdf
    • http://pidebuzuvufugi.22web.org/comment_apprendre_le_franais_oralement.pdf
    • https://cdn-cms.f-static.net/uploads/4448986/normal_6043bbe68472e.pdf
    • http://gatorama.site/when_you_wait_too_longmn7z6.pdf
    • http://sbrf.link/craftsman_16_chainsaw_carb0vvjk.pdf
    • https://cdn-cms.f-static.net/uploads/4471509/normal_60405a16ce134.pdf
    • https://static.s123-cdn-static.com/uploads/4444386/normal_60028d785a7ce.pdf
    • http://vorecan.fun/sample_sworn_affidavit_form_i-_7512x8uj.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kudufigunabi/android_recyclerview_divideritemdecoration_color.pdf
    • https://s3.amazonaws.com/tanapilamaxi/77603815822.pdf
    • https://s3.amazonaws.com/kavugusepe/vetosijiki.pdf
    • http://peforiroli.epizy.com/dunkin_donuts_frosted_donut_carbs.pdf
    • https://s3.amazonaws.com/liwara/salunavaxijoxes.pdf
    • https://s3.amazonaws.com/wajibile/how_do_i_change_the_battery_in_my_totaline_thermostat.pdf
    • http://nazopagoja.epizy.com/checkbox_html_css_template.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7b3.bin
a22f1b665b0ff0204c3878083abf3de045cdec4e1f21775fd67be6007aa59d07		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7B3 5364 bytes
font_01_sfnt_off000109c1.bin
07247d6fc3515f5da4b2bb4400e6b985ff7b7fc00812739daaae13d52f234030		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109C1 10952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.