Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c7690df62b69220…

MALICIOUS

PDF

73.4 KB Created: 2021-05-20 02:09:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: f4063f7387907571a8bd419d9674d782 SHA-1: af354e7206dd1c435d84ad56d20a787a3abca581 SHA-256: 1c7690df62b69220696898981ff251ef872fa14d7226f96c57de658bd8e63b95
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a ML classifier and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'https://baarspo.ru/strik?utm_term=counting+flashcards+1-20+printable', which is likely a phishing lure. The document body is heavily obfuscated, but the presence of the external URI and the detection signatures strongly suggest a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=counting+flashcards+1-20+printable PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4490380/normal_6058091f7286f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459469/normal_5fd7040400603.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4479905/normal_5ffd0a2c1ed76.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376099/normal_5fd14997a4f40.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4414689/normal_5ff9b8fa78368.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4407331/normal_60356c4944ec7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379973/normal_606becd7e4873.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403824/normal_6041b49d68378.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387698/normal_60515d08bdf86.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4454167/normal_600985783ba79.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/97f42fb2-95bb-4cf8-b46c-50cfb06c3255/chamberlain_whisper_drive_plus_instructions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/08e91344-0dc6-4bae-b213-4d86ed638450/richmond_hot_water_heater_error_codes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d77438d-c96b-4b0b-99dd-cc0713892096/why_is_tableau_so_popular.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ddbc84d7-bbc9-4a93-82cb-5154a85439fa/wolotojuzunakoruse.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a13e94d3-0eba-485a-9742-266541730106/nikon_coolpix_p520_battery_life.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7e7f9705-5874-4f34-b8a0-2521c13b7ed6/what_is_the_meaning_behind_the_princess_and_the_pea.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/76976bee-5fcf-42d3-b8dd-0d5e251d815a/the_expanse_season_4_cast_imdb.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c9eb45d9-633e-48b7-8ff1-c0c90e04aa86/where_to_get_tested_for_covid_dc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0bd5ef56-7dea-4928-b2b2-b3e6d690c5a3/togixes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eb9c8b9f-5238-4c88-87e4-403b9c963287/somewhere_over_the_rainbow_classic_ukulele_chords.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec82244c-87f7-42c0-987d-8bb890ec80ab/nursing_diagnosis_handbook_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/23f9ef41-786a-45dd-8890-7bcc9aff9594/35043126471.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/22418bfe-fd94-4ea6-8b12-2f0b02fc568c/what_does_black_poop_for_a_baby_mean.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/67cc4bc7-94dd-4fa3-a966-dcfa03b67e8b/images_of_flat_organizational_structure.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2A1 5820 bytes
SHA-256: 301ab1a230ff900ab776b9bf127798ec7f4219782f3317630fa190e8c2bebd9e
font_01_sfnt_off0000f66c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF66C 9792 bytes
SHA-256: ee8d518277372295fe34e105076231d061e0215ede39ba2b3dd4fe49c35f2951