Malicious PDF — malware analysis report

Static analysis result for SHA-256 1052bcc639d50c04…

MALICIOUS

PDF

61.2 KB Created: 2020-12-11 15:38:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: da538eb54e61277c373ce410d6f3072e SHA-1: 1e8edf7fba7af45a02e19e58f926c9bb710dbf44 SHA-256: 1052bcc639d50c04e7eaffd22953b32680fb61b13788f1263cc9640ec9bf1160
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that leads to a suspicious domain, likely intended to trick the user into clicking it. The document body, though heavily obfuscated, contains text that appears to be a lure for 'Gs1 data hub contact'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/123?utm_term=gs1+data+hub+contact PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4382639/normal_5fbba8cee7dc2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4482207/normal_5fba215481fea.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374953/normal_5fbdf12fe4b65.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4381541/normal_5f9ee4bfb2928.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365627/normal_5f892d8a7b70d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465694/normal_5fa3eac784ee9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451363/normal_5fa51682854af.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d0e4c591-9a77-4569-9ada-566a19037e17/dupenenisifojevag.pdfIn PDF document text
    • https://s3.amazonaws.com/fekazudabo/harmonic_oscillator_quantum_mechanics.pdfIn PDF document text
    • https://s3.amazonaws.com/vukusa/roblox_shark_bait.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbfd56316f6d44b07b8b81c/t/5fc4359118e72e5fdb5d5dae/1606694290354/world_war_ii_test_study_guide.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc5240da13a450bab0fe7b5/t/5fcf4d0a1b45e152edc4cf54/1607421194778/arena_football_cheerleader_salary.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc5d53abda9c57a97e000d3/t/5fd14d3d0b6c283bf7bb409f/1607552318018/lovikuronopasokapo.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc4d4b9e5c7695ca9b4bda1/t/5fce21777ae85b53b2ba84fb/1607344504306/28254630531.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc1576327a199023ab86c6c/t/5fc47c14f3de5e49b5f48690/1606712341662/spyera_apk_uptodown.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f29df739-d44c-468e-8bd8-604ba8390957/67798376198.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b4e3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB4E3 5120 bytes
SHA-256: 9b298619c759207fc3b42fa4ac02996623e9345d1e1845ad911e39ea867e57e8
font_01_sfnt_off0000c652.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC652 9872 bytes
SHA-256: c36aacaa08b489d0811fe3e9f72dadfc68e027212bd21ab1cf320fda83c1a2d2