Malicious PDF — malware analysis report

Static analysis result for SHA-256 1015dc7c9c53fb51…

MALICIOUS

PDF

93.6 KB Created: 2020-12-30 04:55:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a45aa442122580eac9cd0df1a02f645c SHA-1: 1e1dad53a7bf4741dcd697e05eb80d4aa542252a SHA-256: 1015dc7c9c53fb5194e821457f9fbc33715631fd5953602a79555fc614ced3a9
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, contains text related to 'hack apk download' and the presence of a suspicious URL suggests a phishing or malware distribution attempt. The 'SE_DOWNLOAD_BUTTON' heuristic further supports the idea that the document is designed to trick the user into clicking a download link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=idle+gun+tycoon+hack+apk+download
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/61f9bdee-c63d-4bc0-8feb-27f92e9f1c5e/wingstop_menu_delivery.pdf
    • https://uploads.strikinglycdn.com/files/6d3d01eb-5435-42a5-9800-1f9f6629569b/ministry_of_interior_afghanistan_logo.pdf
    • https://s3.amazonaws.com/tixedujegibex/nesagule.pdf
    • https://uploads.strikinglycdn.com/files/d7815827-fbb9-408d-8034-bfd70eadfb3c/mophie_juice_pack_plus_iphone_5.pdf
    • https://uploads.strikinglycdn.com/files/9b908a32-e6dc-44cd-82ec-801a6a6ce5c6/amazing_power_hero_new_york_gangster_apk.pdf
    • https://uploads.strikinglycdn.com/files/3db674bf-a617-4c28-97f9-932adc9a0323/truck_driving_cargo_mod_apk_download.pdf
    • https://s3.amazonaws.com/tazibabebamep/23824815767.pdf
    • https://s3.amazonaws.com/jevelel/exponent_laws_worksheet_grade_11_with_answers.pdf
    • https://uploads.strikinglycdn.com/files/c01be29c-3129-4158-930f-ba22feedaae2/21237384087.pdf
    • https://uploads.strikinglycdn.com/files/9dace326-a038-42c5-b414-630ae067fb9d/15786038640.pdf
    • https://uploads.strikinglycdn.com/files/a711e1be-04c6-457e-97cd-14e7c30628b9/95704662916.pdf
    • https://uploads.strikinglycdn.com/files/c6dcf542-42eb-4ed1-94c0-5626869442c4/77387281384.pdf
    • https://uploads.strikinglycdn.com/files/077263d3-e260-46c6-934a-0ed87751e2c3/i_love_the_mountains_song.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00013459.bin
79039d878788acc4106dda91c95039b9773c756aefcd303c8fb525a36f6d7fed		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13459 22408 bytes
font_00_sfnt_off0000ef09.bin
016562535695261fa949c20e037b245f776ea9462a3ec0c9e1c8d7b66b64eb05		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF09 3120 bytes
font_01_sfnt_off0000fa3c.bin
d8831e17285c772a3f9e64aa63ea4c5a2d0f31f5b4bbf81991b17eea385b81e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA3C 5092 bytes
font_02_sfnt_off00010b9c.bin
0c36c87f543713831b3ed3f603dd46f90ac52cc78af1ef318f54418b8d4ce29f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B9C 12796 bytes
font_04_sfnt_off00015a72.bin
7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15A72 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.