Malicious PDF — malware analysis report

Static analysis result for SHA-256 0af2db6c44539d8c…

MALICIOUS

PDF

70.4 KB Created: 2021-04-06 06:38:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d226041fe569df7ac2dcd789122aa3a7 SHA-1: 796e651281b859186c5564d17b5d90836f050051 SHA-256: 0af2db6c44539d8c534f30da5e419e05c391f226df3456d684fd71c1a0b77e80
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded URLs, with one prominent URL being https://golowaki.ru/wix?keyword=xbox+guide+button+mod. ClamAV and ML classifiers flagged this PDF as malicious, indicating it likely serves as a phishing lure or attempts to download a secondary payload. The presence of embedded URLs and the high confidence scores from detection engines suggest a malicious intent to redirect the user to a compromised site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=xbox+guide+button+mod
    • https://cdn.sqhk.co/vilonunufuk/gWjhhcm/soccer_kicks_football.pdf
    • http://xexajume.iblogger.org/ctet_2019_form_fees.pdf
    • http://fulisipojuzobog.22web.org/pujetomisefubizurixuwoku.pdf
    • https://cdn.sqhk.co/towevefizub/cijghri/novelty_rolling_ball_clocks.pdf
    • https://cdn.sqhk.co/wavagowew/eWehjC2/spider_solitaire_online_no_download.pdf
    • https://cdn.sqhk.co/wadelovelo/dhghhii/99996735181.pdf
    • https://cdn.sqhk.co/nivavepe/b2hgSU7/wotedijom.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://56f9ebfc-1b58-4ccd-90b9-24793863e956.filesusr.com/ugd/0f3536_e5b7ff0eb6ec4d6faef33e82929a1c13.pdf?index=true
    • https://45ae50e1-98a8-4501-9ad6-fc0df438eb43.filesusr.com/ugd/b16523_4d2370ea80734f36a042b6a3886e4bf7.pdf?index=true
    • https://2903667b-e544-4972-ac7f-e5855aaa9b37.filesusr.com/ugd/2cc660_a3881bb6721e4b6b84ca8d67d09e0e36.pdf?index=true
    • https://s3.amazonaws.com/piwanisaj/jofotudapimiduv.pdf
    • https://s3.amazonaws.com/wajibile/fios_remote_not_working_properly.pdf
    • https://s3.amazonaws.com/dedinavesute/appendix_20_1_word_format.pdf
    • https://6c892e0d-5736-4b4a-96a3-cd490fd1fe3d.filesusr.com/ugd/1407cd_d11549d6a1084bbb870fe627dad5a0cd.pdf?index=true
    • https://s3.amazonaws.com/dogevazapiwediw/accessories_for_2020_camry.pdf
    • https://f0198b83-f3fe-41b4-8315-bacd7eabb238.filesusr.com/ugd/2b3f46_7e7fb3dde9cd4695a2c899f7f5747725.pdf?index=true
    • https://b81e1767-bb0d-4562-9f98-cfef66859bb1.filesusr.com/ugd/b48b60_5454c02653564a72b53da09d5ad8b5d7.pdf?index=true
    • https://uploads.strikinglycdn.com/files/de64ea0e-600d-43bf-bc05-78b09d1a5e2d/dajurijutatik.pdf
    • https://s3.amazonaws.com/mejobu/char-_broil_performance_seriestm_t22g.pdf
    • https://c5b3e1fc-3b55-407d-a8d9-2bfa6c9015c1.filesusr.com/ugd/6df244_f6ef53ef3eb14f8ca19aee243b751603.pdf?index=true
    • http://tikukolaxu.rf.gd/kaxepurelevo.pdf
    • https://uploads.strikinglycdn.com/files/c6352cd6-37ed-4ae1-8024-2487f0113651/87049621584.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d547.bin
ffad337e4c47080a6e75094141b8113a83b955b4d60709f8edb5e5d6083dc7b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD547 4812 bytes
font_01_sfnt_off0000e599.bin
f748cec5901541baad3d6bdd1073a9cef31ba0fc7f89001f92bf3a1fa60279d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE599 11312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.