Malicious PDF — malware analysis report

Static analysis result for SHA-256 1927c18230a49eff…

MALICIOUS

PDF

78.6 KB Created: 2021-04-01 14:52:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 650100faf42ab8b0329e9ccf71d6b4f1 SHA-1: 98bbfd8ceb4a52cbf52157f9f54520acc7ef8417 SHA-256: 1927c18230a49eff47bd41332d0d385a8b5917edaaf445d22fe40e0a06062078
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=how+to+change+battery+in+honeywell+home+thermostat PDF link annotation
    • http://bestplacefor.rest/a_to_z_vocabulary_words_with_hindi_meaningccf1n.pdfIn PDF document text
    • http://com-free-fire.com/green_bubbles_car_wash_brookfield4e61h.pdfIn PDF document text
    • http://hangzhoumetal.ru/how_to_use_fundamental_analysis_in_forex_trading5dwpa.pdfIn PDF document text
    • http://islemleriniz.org/kick_the_buddy_mod_apk_hack_happymod1r50t.pdfIn PDF document text
    • http://jofipifemu.medianewsonline.com/waiting_for_godot_with_line_numbers.pdfIn PDF document text
    • http://digitalmicroteter.xyz/cateye_quick_wireless_cycle_computer_manual5hm92.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://kulebosux.myartsonline.com/automobile_engineering_notes_free_download.pdfIn PDF document text
    • https://s3.amazonaws.com/guxosa/ges_exhibitor_services_manual.pdfIn PDF document text
    • https://0926596c-b1e6-4473-87d6-fed2e709bfeb.filesusr.com/ugd/e2a635_fe8f448313dd4dc89f9df2830c92b9f2.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/755545e8-ffbf-4ed3-abb2-8e5b717eed03/how_to_become_an_officer_in_the_navy_uk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b2c84eec-bdf1-44fc-a2db-93137375e097/misuniwezopig.pdfIn PDF document text
    • https://s3.amazonaws.com/pevuwarobuvowa/white_crepe_paper_sheets.pdfIn PDF document text
    • https://89f68ddc-9f98-4e60-8afa-3e0ca6603e9e.filesusr.com/ugd/4725f1_15b08787c9f94cdab216c0065b015677.pdf?index=trueIn PDF document text
    • https://45b0b119-5f8c-43e7-b437-4e12d17c1c81.filesusr.com/ugd/3826db_19583ca360ef4d6c884761abda577aa3.pdf?index=trueIn PDF document text
    • https://1416a32c-f91c-4ec3-9c10-bfdf610c7df7.filesusr.com/ugd/76de1a_24d53556069e41a9a86874bd2297be8c.pdf?index=trueIn PDF document text
    • https://cef8af8d-7071-4339-ac50-fc417d371010.filesusr.com/ugd/a89196_0e7609ede476469db8a608e3900a7569.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/dejazuvorira/benghazi_report_redacted.pdfIn PDF document text
    • https://ec75ba9f-29a7-4b73-bb51-4c951d20089f.filesusr.com/ugd/17cde0_a002140d4fcb4f55bce1cbf12a813b59.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/d83ebfc4-c6f5-47d7-a9df-a7e564f2c71e/how_to_disconnect_hyundai_car_alarm.pdfIn PDF document text
    • http://miganuvag.myartsonline.com/html_activity_for_students.pdfIn PDF document text
    • https://94aa8f26-b07a-4c24-bdb4-4112657565c9.filesusr.com/ugd/37428b_568c361a01484782a5015b4ace2792f5.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/nijudow/87904741069.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/68259296-8003-4b58-b357-f7e06cc79106/4004652526.pdfIn PDF document text
    • https://s3.amazonaws.com/potamotaz/jogos_pc_pirata.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f5a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF5A9 5508 bytes
SHA-256: 4385e41563340aaea09508757afc7d4739f0bd5d927cba51ea9a1ecbc4ca69a8
font_01_sfnt_off00010852.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10852 10512 bytes
SHA-256: cf78a849ec8fc9b7eaded925b247c9c94dccc2ffdcf3ae44276f3da143b75614