Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d8c74ce86be3899…

MALICIOUS

PDF

73.2 KB Created: 2020-12-27 17:41:31 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: 24f7e72a6b9ae8d9a27bddea2f9cf228 SHA-1: b25222ee56398b909a6995ebd3d7f9144e0e571d SHA-256: 1d8c74ce86be38991eff7c0f7033154037a2d9ed8c0622098d6219a068541f99
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'https://trafficel.ru/strik?utm_term=draftkings+masters+pool', suggesting a phishing lure related to a Draftkings masters pool. The presence of multiple embedded URLs, some leading to other PDF files, indicates a potential multi-stage attack designed to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/strik?utm_term=draftkings+masters+pool PDF link annotation
    • https://cdn.sqhk.co/lirerafi/xgggjib/gezegulofe.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4401545/normal_5fc6bd700c57a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365553/normal_5f873efc78abd.pdfIn PDF document text
    • https://cdn.sqhk.co/kixalixu/h1jchbo/72669101141.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/43c227aa-16ab-4320-a6e1-5dc7ef5d9160/pezumepinet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/737ecbfd-bec5-453e-aef2-2635567be1c8/fix_file.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dab7b8de-4813-4f53-8666-4f0f06679366/sogulexejabobe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7d67ebd8-67df-46ec-8ceb-47ed2a8a76ec/83598649512.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2d636b8f-e6e8-4cae-9bc0-55c3207e4366/33519674638.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad180a11-38d0-42d7-aa86-ac075f5aa9cf/the_doors_stronger_than_dirt_song.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE0E2 5284 bytes
SHA-256: 4fd1d22c1104c63d49d82721d1c69800a2feac9feb8d4dc55e17aa4892f4e7eb
font_01_sfnt_off0000f2d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2D9 11188 bytes
SHA-256: 15b1aa0d6188c291d7335405ab1bb44c35062ba7c0b1d97ddae2f520c911a590