Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d9dacd514211150…

MALICIOUS

PDF

72.8 KB Created: 2021-06-06 23:50:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: c5eb331f85e1337aa2521f707b549595 SHA-1: 5381d2c4ef53f40c08a3cd438a34b47bb17194f1 SHA-256: 1d9dacd5142111506904411982a6d7ded1c5eb6886ff016a123e81be995c6f47
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains embedded JavaScript that redirects the user to a malicious URL. The document body, though heavily obfuscated, suggests a lure related to a Toshiba Regza owner's manual, aiming to trick the user into clicking the provided link. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/pbw?utm_term=toshiba+regza+owners+manual PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4411489/normal_603a606f04777.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4394061/normal_5fec7cf6b1688.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5f25f55-b30c-440e-b1d5-af84d5cc0fbd/18948021277.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f68f7fc5-517a-4aa8-8346-9ee2917987a3/future_english_for_results_3_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a7a5bbe-0b76-40c7-9923-96418cd0c4e4/26690205704.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30de3a52-34ff-400b-9f98-f767e54d98a7/xowogoxupatixozibax.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/471f4134-209b-48c6-a902-014e09876699/dobuzejojo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/327e1009-fbfc-4f6f-ac32-89719cf31ef8/manual_gps_garmin_astro_320_user.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cad916a2-16b2-4152-9146-4b8d97fcbe90/what_is_admission_quota.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/826043f7-039e-44e2-9d8e-e47370b5e456/51399151570.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4ea6c0f0-53f6-4d08-a92c-7abef40ef464/81316079901.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/576c16ef-15ee-4cb4-9d5e-f8dbae71e227/3608250048.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fb9449f2-4031-43be-b01e-4ebfdb500e02/viper_7153v_replacement_remote.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4dc98bae-c2f1-4a6d-a296-34921b705a91/96540520696.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4ba425be-2223-42d8-9bc0-df87f2813e4f/1998_chevrolet_p30_step_van_specs.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f941f6ee-876f-488d-878d-35fded867b51/how_do_i_fix_my_bosch_dishwasher.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4ea14b90-d74f-4a11-afda-883db5ebd1ad/26274382576.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8866f9a6-d4c6-49b1-ba26-194952c5ee08/cummins_diesel_generator_troubleshooting_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/68dd9db7-abab-403d-93b6-91ba73a9a129/9791833258.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e088.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE088 5332 bytes
SHA-256: b3b6013d3fdb934f2bca8c0920182772bbf82ecb19c64d7bd8be8c5de2e92b77
font_01_sfnt_off0000f29a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF29A 10508 bytes
SHA-256: 10859811f892b24614ed2898bb3a5571822f4f3789904a12eeb9164c2acb40e6