Malicious PDF — malware analysis report

Static analysis result for SHA-256 1bd0ee9452566b04…

MALICIOUS

PDF

79.8 KB Created: 2021-06-08 06:30:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 21b8afb5e5802dda1c552a6961ed57d4 SHA-1: 34cdcfc5a071348964271d75d98fdf55bc9a867d SHA-256: 1bd0ee9452566b045332408a904194401d25566b20b2d09df848562f443e3f76
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The file's content, though heavily obfuscated, appears to be a lure, possibly for phishing or to download further payloads, as suggested by the presence of multiple external URLs. No scripts were extracted from this sample, limiting the ability to determine the exact execution mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cdn-cms.f-static.net/uploads/4495691/normal_6032726ddc990.pdf
    • https://cdn-cms.f-static.net/uploads/4416789/normal_602add63d69c2.pdf
    • https://static.s123-cdn-static.com/uploads/4405922/normal_5feb31b7cb42f.pdf
    • https://cdn-cms.f-static.net/uploads/4451047/normal_60b85eda05950.pdf
    • https://cdn-cms.f-static.net/uploads/4472495/normal_60bed13557d1d.pdf
    • https://cdn-cms.f-static.net/uploads/4374535/normal_6055df7dc5628.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://feedproxy.google.com/~r/wb/ENAH/~3/WboozbXZlIE/wb?keyword=duralast%20jump%20starter%20manual
    • https://uploads.strikinglycdn.com/files/fbf61904-be8b-429a-b16c-7246ffd9b0d7/38839860966.pdf
    • https://uploads.strikinglycdn.com/files/514002a3-d4d1-411b-b15b-396b3c710c9b/eyes_have_not_seen_nor_ear_heard_song.pdf
    • https://uploads.strikinglycdn.com/files/fd4b66a8-15a2-4e1e-b94a-48306b4af366/the_missing_1_trailer.pdf
    • https://uploads.strikinglycdn.com/files/caf86e5c-5a40-438d-8131-48c8afb955f0/46827588368.pdf
    • https://uploads.strikinglycdn.com/files/b2ce6097-0370-4eff-9b4a-66b64b6c83ee/wovigasejekojusinir.pdf
    • http://tazijebep.pbworks.com/f/xivorifuzotawugo.pdf
    • https://uploads.strikinglycdn.com/files/4fc68fca-05cf-4d49-84c4-0a403da88b4e/drumless_music_tracks_free_download.pdf
    • https://uploads.strikinglycdn.com/files/71708ac6-6f4d-4a0e-8d25-4c16e79f31a7/ms_word_table_of_contents_dots.pdf
    • http://tijigika.pbworks.com/w/file/fetch/144793746/wikebaxozuvusuxuzoloxeli.pdf
    • https://uploads.strikinglycdn.com/files/35c936e6-e497-404a-be2b-21ea598b9855/como_comear_um_resumo_critico.pdf
    • https://uploads.strikinglycdn.com/files/6a2bfbf4-104a-4d08-9740-46648d0e8397/oxford_picture_dictionary_low_beginning_workbook.pdf
    • https://uploads.strikinglycdn.com/files/889fae95-daa2-458f-9876-c28e8236d8a5/72153400163.pdf
    • http://numefen.pbworks.com/w/file/fetch/144551535/49009416766.pdf
    • https://uploads.strikinglycdn.com/files/f02f6d56-5632-4c38-b08c-c0b1183cdf2f/14102259398.pdf
    • http://zopujoxobug.pbworks.com/w/file/fetch/144419268/80782654079.pdf
    • https://uploads.strikinglycdn.com/files/e4ba2bb0-b1f8-4f4b-85c6-90d28b663898/82878810906.pdf
    • https://uploads.strikinglycdn.com/files/91c38d96-e458-4840-948a-56fa7d9a9df3/los_generales_de_dios_tomo_3_gratis.pdf
    • https://uploads.strikinglycdn.com/files/a6925e0e-9e99-4cd4-9252-645df08c00f6/jufitusurofijefet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6f5.bin
2283382528452ebc9759092a078995be736c9f911fbf833d98c4db271d83ebf2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6F5 5040 bytes
font_01_sfnt_off00010807.bin
e7e7baf4599ef98a1b9477a39a59021369a3644d06195de64ae44dce71e7bc9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10807 12364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.