Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d4a13710c39e911…

MALICIOUS

PDF

79.9 KB Created: 2021-06-05 04:48:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0ea7e6f406570240049d2032db9db57 SHA-1: a359f06524413bb956bfb31786ba649e94cad7be SHA-256: 0d4a13710c39e91119a09f2923dc420153dcc2efd4ce0ca8deb3d817c6d4be97
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for an external URI pointing to 'https://ketchas.ru/pbw?utm_term=are+banana+chips+healthy', which is likely a phishing lure. ClamAV also detected the file as 'Pdf.Phishing.Trojan'. The document body, though heavily obfuscated, appears to be related to the URL's content, suggesting a phishing attempt to trick users into visiting a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/pbw?utm_term=are+banana+chips+healthy
    • https://cdn-cms.f-static.net/uploads/4368777/normal_5feaf10027190.pdf
    • https://cdn-cms.f-static.net/uploads/4368954/normal_604bca3640b8b.pdf
    • https://cdn-cms.f-static.net/uploads/4392193/normal_5fd808de476f7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://mapaduzipi.pbworks.com/w/file/fetch/144526497/biopsicologia_pinel_6ta_edicion_descargar_gratis.pdf
    • http://doxawadar.pbworks.com/f/wopodisazen.pdf
    • http://buvavipoluvu.pbworks.com/f/connect_the_dots_worksheets_printable.pdf
    • http://zemilenasi.pbworks.com/w/file/fetch/144640020/lozasateborumumebosugi.pdf
    • https://uploads.strikinglycdn.com/files/27b305f0-747b-4720-8805-de402e946093/is_there_any_cheats_for_sims_freeplay.pdf
    • http://siseraxoru.pbworks.com/f/how_to_reset_typewriter.pdf
    • http://dobifapig.pbworks.com/f/70291429296.pdf
    • http://bekivuxuga.pbworks.com/w/file/fetch/144413796/80242083762.pdf
    • https://uploads.strikinglycdn.com/files/83c1e488-5137-463e-901c-12763bf70545/vasajanali.pdf
    • http://togiwuvoze.pbworks.com/w/file/fetch/144579228/juguwewovabamomevol.pdf
    • http://mutoteja.pbworks.com/w/file/fetch/144523068/72602826590.pdf
    • http://dagomiwavi.pbworks.com/w/file/fetch/144600336/astroneer_beginner_guide_2020.pdf
    • https://uploads.strikinglycdn.com/files/efc3430c-d5d2-43e3-b5c2-c3f7d88eebd6/tojunadi.pdf
    • http://wufamazajo.pbworks.com/w/file/fetch/144630990/israel_in_the_desert_bible_story.pdf
    • http://wuxikadafi.pbworks.com/f/33619255508.pdf
    • https://uploads.strikinglycdn.com/files/88bd2a93-aadd-45d0-a88a-765ab9d51525/50165102570.pdf
    • http://jitijaloj.pbworks.com/f/gaguwaragijotaluri.pdf
    • https://uploads.strikinglycdn.com/files/160ac6e2-825e-45c7-a5b8-db891fea553c/78473677341.pdf
    • https://uploads.strikinglycdn.com/files/41c3fa95-cffb-4ac6-8e6d-1eedd1a5b482/95092295218.pdf
    • https://uploads.strikinglycdn.com/files/03e0a231-6960-49d6-a28f-3c680cea0fd8/tujukulo.pdf
    • http://vatojorisa.pbworks.com/w/file/fetch/144443043/servidores_telcel_para_http_injector_2021.pdf
    • http://pebegijopolo.pbworks.com/f/permutation_and_combination_questions_with_solution_download.pdf
    • https://uploads.strikinglycdn.com/files/e00c5ef5-02ae-4aed-a728-78979790aa5a/xemuzotibegevifi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f5cc.bin
2ae44f1a9fdf937311a8d43f780bd9d3733f53eb76605a5b1a580f33cd33a749		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5CC 5252 bytes
font_01_sfnt_off000107a8.bin
54d17d711b053e2ff59ae41b987a35258d44c67995dade34696290a692cfad22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107A8 12748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.