Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f9bcd955ee46a71…

MALICIOUS

PDF

93.7 KB Created: 2021-05-19 19:37:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e8c269b34eb7af59617966012c9ff891 SHA-1: 204fba9936f683ac9880ac8f341a6553b6170e7c SHA-256: 1f9bcd955ee46a71ffc1b6226611a1c04419cdd61422d150b82573892e5c9c6f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a domain associated with malicious activity, disguised as a download for 'Pokemon roms 2020 reddit'. No scripts were extracted, but the presence of the malicious URL and the document's deceptive content strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=pokemon+roms+2020+reddit
    • https://static.s123-cdn-static.com/uploads/4456128/normal_5ff87c8e8681d.pdf
    • https://cdn-cms.f-static.net/uploads/4371247/normal_60443deae61a2.pdf
    • https://cdn-cms.f-static.net/uploads/4443371/normal_6026d18996412.pdf
    • https://static.s123-cdn-static.com/uploads/4409799/normal_5fe1161459749.pdf
    • https://static.s123-cdn-static.com/uploads/4467298/normal_5fe498a5edd92.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/cbbad381-96f1-4ee8-a4dd-08f07192fcfe/windows_10_ebook_free_download.pdf
    • https://uploads.strikinglycdn.com/files/cd089a89-b11b-4947-8e82-a9e0d7f09883/rowufedokezedokojedopase.pdf
    • https://uploads.strikinglycdn.com/files/4feffc56-1a07-41f3-bb4a-e904110e501f/2985960826.pdf
    • https://uploads.strikinglycdn.com/files/4725e1de-9fdb-4b87-a79f-daa69d693587/ley_laboral_puerto_rico_horas_extras.pdf
    • https://uploads.strikinglycdn.com/files/4d60fcb7-bc33-4e0c-8483-c2bd6b81a4c3/neato_botvac_connected_maintenance.pdf
    • https://s3.amazonaws.com/zesotat/1648274662.pdf
    • https://uploads.strikinglycdn.com/files/6bf58a03-cf2a-4670-a3e4-20dd0f106e68/how_to_calculate_cheque_expiry_date_in_excel.pdf
    • https://uploads.strikinglycdn.com/files/80573e68-ee72-45d0-909f-b054fbcf28ff/a_knight_of_the_seven_kingdoms_free_download.pdf
    • https://s3.amazonaws.com/gewuwasi/moon_phases_worksheet_kindergarten.pdf
    • https://uploads.strikinglycdn.com/files/6d7e6def-a906-4809-9567-7194ebe46297/ginogodibikof.pdf
    • https://uploads.strikinglycdn.com/files/347aeaaf-a230-45c8-bb46-da59748417e0/kubota_svl75-2_oil_capacity.pdf
    • https://uploads.strikinglycdn.com/files/2def88eb-0b35-400b-9a71-e7b5f1ef38d0/how_to_adjust_bass_on_jlab_earbuds.pdf
    • https://uploads.strikinglycdn.com/files/83e8f94b-6a6b-4814-a7ff-c455a2a5ff05/how_do_you_get_a_salesperson_license_in_california.pdf
    • https://uploads.strikinglycdn.com/files/96929e82-61c4-4f19-a96a-a4cdb82f92b8/what_is_the_proper_etiquette_for_addressing_wedding_invitations.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010d2a.bin
f24846e024915e51fd8f90e2c528666278dbc3f9e9a5595f388da4e795c26caa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D2A 3084 bytes
font_01_sfnt_off00011820.bin
9c3fc383c528ea2b4ac370fd4a43968964c37869b115f371bde9e9e79d78489c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11820 5068 bytes
font_02_sfnt_off0001294e.bin
b641294296851d2fbd0c8a50f4b1629af115541acf931c10d42498fef02a899e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1294E 12820 bytes
font_03_sfnt_off00015479.bin
c8cad0fcbf711734ba90d1bf0f33d5774ae0d43a5fc07b95f2d0d23150af1919		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15479 16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.