Malicious PDF — malware analysis report

Static analysis result for SHA-256 09cd5b7d29062178…

MALICIOUS

PDF

72.7 KB Created: 2021-04-08 00:08:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4bf4438debab7a4fb5117fc7fdb9a46b SHA-1: 3391d8b32d243ec01a7034ae3e28f86f14c1c88c SHA-256: 09cd5b7d29062178169157893f6b42cdda6bb4f1fc8cd7fa0272e55c46499c59
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating the presence of external URIs and embedded URLs, with one prominent URL being https://seumenha.ru/wix?keyword=tc+helicon+voicelive+touch+manual. The ML classifier and ClamAV detection strongly suggest malicious intent, classifying it as a phishing trojan. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a phishing attempt, likely using a social engineering lure related to the 'tc helicon voicelive touch manual' keyword.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=tc+helicon+voicelive+touch+manual
    • https://cdn.sqhk.co/jasurisunav/pYygezl/muvapikaxiwom.pdf
    • https://cdn-cms.f-static.net/uploads/4465144/normal_6067f65cc82a7.pdf
    • https://static.s123-cdn-static.com/uploads/4366654/normal_5fdf0a6691f91.pdf
    • https://cdn-cms.f-static.net/uploads/4413848/normal_60520cba7f38a.pdf
    • https://cdn.sqhk.co/bevoroxur/hS9I6gh/swag_smoking_girl_wallpaper.pdf
    • https://static.s123-cdn-static.com/uploads/4418180/normal_5fd0357c38e6c.pdf
    • https://cdn.sqhk.co/nukusigemug/fifDhjj/dobiwek.pdf
    • https://cdn.sqhk.co/pasepizut/jaAiifM/crimson_heart_2_mod_apk_unlimited_gems.pdf
    • https://cdn.sqhk.co/guzoladip/ghx3ogd/life_is_strange_episode_4_chloe_death.pdf
    • https://zamidagotef.weebly.com/uploads/1/3/1/4/131453459/tatefajixulapu_fosofu_xadidamalofagi_refukanixasunax.pdf
    • https://cdn-cms.f-static.net/uploads/4450355/normal_6029b25b272b2.pdf
    • https://cdn-cms.f-static.net/uploads/4387060/normal_6018bee72005c.pdf
    • https://cdn-cms.f-static.net/uploads/4379500/normal_603e2eef5fe2c.pdf
    • https://cdn-cms.f-static.net/uploads/4422906/normal_5fd88640a63b4.pdf
    • https://lifalaril.weebly.com/uploads/1/3/4/8/134883644/fibefawirubudun-nusakujewi-sepipupo.pdf
    • https://static.s123-cdn-static.com/uploads/4457311/normal_5fd03baa66de9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/15f93dd6-5459-4f20-ad13-aa5945413ebf/what_is_satire_in_animal_farm.pdf
    • https://uploads.strikinglycdn.com/files/b7ef33a7-6662-4cf9-b305-d4bb19a2b1ed/is_nbc_free.pdf
    • https://uploads.strikinglycdn.com/files/85fa23af-8dac-482d-838d-05fa9767439f/how_much_is_a_bo_box_at_bojangles.pdf
    • https://uploads.strikinglycdn.com/files/286467cc-6123-4944-a074-7fd96a1fa4a9/ge_spacemaker_xl1800_specs.pdf
    • https://uploads.strikinglycdn.com/files/2b1bb0a2-d303-4763-8fff-a2079f26e8ae/67383978659.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e075.bin
8a3b39034fc00c1431fa0540d3b168a76b8fdf37bdfd01df1b2fd0dcbd8b0795		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE075 4776 bytes
font_01_sfnt_off0000f093.bin
7090960ac3b6e22807e79d0900f7e1343afae4bbcac76f60935ea3f7159e63e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF093 10764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.