Malicious PDF — malware analysis report

Static analysis result for SHA-256 0787a82c7f80127e…

MALICIOUS

PDF

78.6 KB Created: 2021-05-28 15:55:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: b597f216c437a1c4697268e1a914bea8 SHA-1: b12486214b54f51219f6a0e8e3e4aca3565e0bd8 SHA-256: 0787a82c7f80127e349b029e805c8d2aff04be718f04a6225288effb888171e1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=the+new+season+game+of+thrones PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/49088b35-b8d8-4441-8ce6-4c7d87a971a1/kogibewilunexugutaxajotu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2c69a9d-59f5-4141-907e-158789962743/how_to_write_report_format_example.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a7b147f7-cdce-4e12-974c-43bfeebe094d/how_to_draw_easy_stuff_that_looks_hard.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/89d553a6-929c-46c0-905c-854067e8ba51/watch_the_game_changers_documentary_online_free_reddit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/089d9289-5826-44cd-a373-aa3273ee7e52/41554756484.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a2c4bb4-0f55-4fcc-8490-227fd75b766e/gmat_official_guide_2019.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fdc04722-92e0-437c-abc4-4e3536f6c8a0/nojazegoluteki.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b6269730-71ba-4851-9e4d-9553b9ce9fa5/nobevobupimaxibuvokij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1222190-863c-46b0-91a6-424fa9b582b9/97746317867.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/726a4da3-0ac7-464f-8782-e17a778d9dea/45111208070.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9727474a-f5f2-4f63-bd0b-f62afb3f7fd8/pmdg_747-8_crack_p3dv4.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8a5d9686-2ca9-4da4-9a70-d3ac803df242/what_age_do_they_hire_at_wendys.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/51ab354d-7eb5-44c2-a435-aec1c170bc1c/weber_grills_parts_320.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d62b942f-17f7-4c67-aab2-476c1f5486f4/75760349221.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab38e044-b018-4e89-b57a-45000c8bcfdb/gefuxex.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/04514fbe-ea5e-4966-9d51-a20e2b6889a0/freemake_video_downloader_gold_pack_key.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0362d509-ae22-4e9d-8688-064b6cef71c4/groin_strain_rehabilitation_exercises.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ecc78981-0ec5-4139-9ec0-f4c6360a6572/80584004300.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/11a8127b-a678-4562-a9d6-cef2b7a58d39/motivational_interviewing_approach_definition.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f5a6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5A6 5192 bytes
SHA-256: be9637e87f67ab79bdfe97c90a018aa111f72b5ae1f69b4a25d67123d2c3eed0
font_01_sfnt_off0001073b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1073B 11104 bytes
SHA-256: f63156c382871fc00f6d4ef3e239f439b03ad4b7b848017716a4cc1883f44cf8