Malicious PDF — malware analysis report

Static analysis result for SHA-256 06b1a3a7ffb2b14c…

MALICIOUS

PDF

75.3 KB Created: 2021-05-28 19:06:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 7ced1018d3a9ebc0088ef2aa00a97ad6 SHA-1: a80243eeb0839fae793dac26d9e3d30d7658c0e4 SHA-256: 06b1a3a7ffb2b14ce63ffda99367daf3fc9ad0413bc3eb36edfae812fdac7bb0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that leads to a malicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, appears to be a lure related to construction, likely intended to trick users into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=how+to+mix+mortar+for+bricks PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4417419/normal_60618502a9cd6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4408174/normal_5ffaa8c52f74a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408589/normal_5fd2a42f05bd0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4458124/normal_602bb4ed69443.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369138/normal_604d32207da2d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4488133/normal_60375191bf628.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/65b7a8ee-6956-434a-b0ff-359a1ff567e9/how_to_perform_a_reset_on_lg_washer.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a5e9fcbd-6fb6-47ac-ad0a-e57451c8ccf5/41681654139.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f5f5e960-81de-41c4-bfe2-8f905e3fd5d6/44741951837.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ba322bbc-00b0-41ae-93b9-764d8364323c/brawl_stars_mod_menu_unlimited_gems.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a660d584-4022-46dd-95b1-4c40d9c67e73/75188262085.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9101d33c-5f0b-44c7-b71a-913eff4aa99c/nuance_power_standard_2.0_trial.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f85633c-cf3c-4d44-9b6b-bdea8d98ae16/41342933278.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6a6a6898-4a93-4147-9753-4f2682eb6b35/what_height_rings_for_scope.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f82eeffb-1746-40c5-bc6a-7dff75b166ef/19597875967.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/37c73829-e2b9-436f-9938-186d76a14f89/puminanu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a8f99bd9-0fe2-4fde-a33c-a78617a7b589/vince_gironda_height_and_weight.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8dc32f89-6324-41dd-a895-fe36295817c9/warhammer_fantasy_novels.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/11d22b3c-b9cf-4882-b53b-5fb04e86b89a/mitunato.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c056bdf-e457-4b7e-baf4-eb86d2622bd2/15786524381.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf5df94b-1634-4bac-bc9e-5a09b72bc6f4/makayla_love_neptune_nj_car_accident.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f023f3e7-4b1d-45cf-8253-3ad599362971/for_king__country_-_shoulders_official_music_video_lyrics.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE8A7 5320 bytes
SHA-256: 0fc997316879f95741d9ae8a97cf7360ddbc7caf4e5f26b4a49a05374929b1bb
font_01_sfnt_off0000fabf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFABF 10872 bytes
SHA-256: 976b4540501083782042be3b9bda16ddcbb711d3f5769aa732b9d5bd976ead20

Open this report in the interactive analyzer, or submit your own file for analysis.