Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ba1120465eb52d4…

MALICIOUS

PDF

89.8 KB Created: 2021-05-21 13:36:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: a89ed6ff878b7ca5f855ca8dfeffe602 SHA-1: 1186c076776f373b6b2d8908243a585f3409762d SHA-256: 1ba1120465eb52d40884a1d33271d39076ecac4ec931c9c4478615382bc7104a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=brand+storytelling+book+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4371806/normal_603c4ff733b15.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4496005/normal_601b009337a6a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4393044/normal_5fcff6bd105a2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4467577/normal_606b9c813f2f3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4374542/normal_5ffea69162d4e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/297d4385-5af0-4b17-ad47-2ef61ec2defd/josep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2049ef0d-a5eb-4ecb-b862-2e1d896c313f/zinolesupaf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/229c9e5e-9154-4099-b2fc-024ede56b380/good_mixed_drinks_with_crown_royal_black.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/36715614-414b-453b-b6f8-11f7f8504603/kivajupebiwamaba.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d22ddeb1-ded3-45dd-a422-7486ed5d44c1/38744590908.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/510ecf9a-9f39-4049-b23b-7ade25aaa5ef/who_originally_sang_fly_me_to_the_moon.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9da6db33-b221-4684-838a-9af21e216ab1/59392677674.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae8dd444-380d-40f7-8d62-37ab9eaae84a/how_much_does_it_cost_to_rent_a_carpet_cleaner_from_dollar_general.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f53d83f-7bee-40cc-bd63-4b3c2d35f7ed/lexus_rx_350_f_sport_invoice_price.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1ce6fd87-5ae4-4d28-b757-0c212e57f1a5/kuvurokujibefonebez.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/df315974-a401-443c-b7d4-41bfab6ccccd/what_is_computer_ict.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0f391abc-836e-465e-bac9-5428f5f7d82e/lidedudedebepi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0f25a737-f73f-4778-9ea5-9d2460f1b9bc/what_is_brown_v_board_of_education_about.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bcc16efb-2b8c-46c4-a6c3-870f37de0860/why_does_my_security_system_keep_beeping.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a445fb1d-57b1-484e-a1b0-890aa6d51edc/ladibiverefofapexiwij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/634652e3-e7c6-4d07-92bb-68ea868dc6a7/2019_freightliner_cascadia_radio_antenna.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ec0b8bb-500a-4ee2-ade8-93b12d4d53f4/fozedewujunaz.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb35.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB35 16912 bytes
SHA-256: 3e4bed96774ac91828690f24ae0e8cf572ab554d397acd94501c4d0f9c57c9a3
font_01_sfnt_off0001210d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1210D 5564 bytes
SHA-256: 12d83afe65d646f43c68f47ff90f217c8de0717396f2d7dab67ba07404dc7067
font_02_sfnt_off00013418.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13418 10364 bytes
SHA-256: 4ef26ec0c8ea3be925d06ff7c6a4bf8a9009daaa2e8b9cd8d57ae64462e12b75