Malicious PDF — malware analysis report

Static analysis result for SHA-256 06d669faca602fec…

MALICIOUS

PDF

71.0 KB Created: 2021-03-02 22:44:53 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-20
MD5: 097fcf337d9baf6342e07135b9587399 SHA-1: b5655e450c087fe8c767b21d81b0ff9279ecb63f SHA-256: 06d669faca602fec9577cf6456e2557f388a6f8859834e74d0b6171bcf5230b9
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file is identified as a credential phishing lure impersonating the UPS brand. It contains multiple external URIs, including one pointing to a redirector hosted on weebly.com, which is a strong indicator of phishing activity. The ML classifier and ClamAV detection further support its malicious nature, likely serving as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://jurizimobijagi.weebly.com/uploads/1/3/0/8/130874317/c7d0846b6.pdf.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=videojet+1520+excel+service+manual PDF link annotation
    • http://kutatit.getenjoyment.net/whirlpool_duet_washing_machine_parts_manual.pdfIn PDF document text
    • https://cdn.sqhk.co/solijisivono/bjcxhjE/facebook_app_for_windows.pdfIn PDF document text
    • https://cdn.sqhk.co/pifizumux/haYXHig/todovenodofavisoweki.pdfIn PDF document text
    • http://mudixefibewab.mywebcommunity.org/42242137476.pdfIn PDF document text
    • http://nabavawuzafurur.mygamesonline.org/87536955484.pdfIn PDF document text
    • https://cdn.sqhk.co/lalusozokigi/Rpl2Tha/home_design_3d_gold_download_gratis.pdfIn PDF document text
    • http://zixudivibudizu.scienceontheweb.net/zodumuxuvevugoral.pdfIn PDF document text
    • https://cdn.sqhk.co/xuluriwu/fiihfYR/house_of_secrets_hidden_object.pdfIn PDF document text
    • https://jurizimobijagi.weebly.com/uploads/1/3/0/8/130874317/c7d0846b6.pdfIn PDF document text
    • http://zugugalepew.mypressonline.com/fugosajekinukewawunifuta.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://putetudufotu.rf.gd/81830446843.pdfIn PDF document text
    • https://s3.amazonaws.com/wemazun/lujujokojeworusupaparij.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c828.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC828 5584 bytes
SHA-256: fda51346ebcc1211b0da43a91612c4b77ec2015118f73da143461baf1d69a4f9
font_01_sfnt_off0000db1f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB1F 11528 bytes
SHA-256: 3554df222d571110ef3ee72d410d2637fe02eada95276bc9242e5892393b6def
font_02_sfnt_off00010135.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10135 4324 bytes
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e