Malicious PDF — malware analysis report

Static analysis result for SHA-256 20aad01461258fe9…

MALICIOUS

PDF

99.4 KB Created: 2021-05-26 13:14:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 568b95d1bb6267631140a1a100af0c4f SHA-1: d97dda1a00b5cf0469dee28f5674361738401581 SHA-256: 20aad01461258fe998d19ef3a62571b0190c57ade1cf776768e3247b39134e14
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9945

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=razonamiento+logico+matematico+exani+ii PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4382186/normal_5fe3549f8c29f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4500447/normal_5ff08a8b4cc23.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4414494/normal_5ffc0aa20b0ef.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371808/normal_601617836b2cf.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4428083/normal_5ffb4ed6f3dae.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/77d0048e-7b7d-4f1b-ac8d-533e58d99783/84288043280.pdfIn PDF document text
    • https://s3.amazonaws.com/pusolefosex/what_are_the_4_types_of_miracles.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0a399ba3-c2e1-4f27-a4ee-fe3a9c64e6c7/company_of_heroes_mods_free_download.pdfIn PDF document text
    • https://s3.amazonaws.com/sajatofubote/30220272812.pdfIn PDF document text
    • https://s3.amazonaws.com/fixararololu/ao_smith_water_heater_parts_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/bipepezuwed/wojoxitav.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/74393211-d35d-4566-ab8b-f86aa2089ad5/ge_geospring_hybrid_water_heater_service_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/kefefetafij/relacin_entre_materia_y_energa_en_la_nutricin_celular.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d86a2bf3-73b1-4651-847b-4ac1fe48b92e/how_to_use_kali_tools.pdfIn PDF document text
    • https://s3.amazonaws.com/befarekogol/blogger_html5_templates_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae4a8214-9c78-4f8e-b2a1-50670fd101cc/what_qualifications_do_you_need_to_be_a_caregiver.pdfIn PDF document text
    • https://s3.amazonaws.com/vawoginele/detoboza.pdfIn PDF document text
    • https://s3.amazonaws.com/juvuraguvutoxif/spotify_free_version.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/401eab5e-42ad-4954-ae1f-0047e35f0af6/62090143871.pdfIn PDF document text
    • https://s3.amazonaws.com/vebisop/94824095817.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33f9b364-efb8-4617-ab83-ef35cd6f9a11/bepajositagokekerofog.pdfIn PDF document text
    • https://s3.amazonaws.com/mevuzokekenojab/brother_printer_clean_unable_46.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4429ec17-ec01-4d03-adbd-6b4db46044b4/69159611785.pdfIn PDF document text
    • https://s3.amazonaws.com/ximupuv/chino_hills_weather_report.pdfIn PDF document text
    • https://s3.amazonaws.com/xijalovelokolep/puvepufozujufonowunu.pdfIn PDF document text
    • https://s3.amazonaws.com/xoxaneral/xiputogekuf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/914cafda-aa02-4fe4-88df-aa0c9488ac83/what_is_the_best_electric_food_slicer.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://sinhala.sourceforge.net/In PDF document text
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITSIn PDF document text
    • http://www.gnu.org/licenses/gpl-2.0.htmlIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010ac5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10AC5 4968 bytes
SHA-256: c7b6e745377473e941f2aca5d429e8f9bae6905401e645d042d4d5ab8e9a887d
font_01_sfnt_off00011b74.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11B74 24692 bytes
SHA-256: 8aaa3a1f4431837a32b471a8adad3d88a2d31e433fef7fe31a4da3f1bb767d66
font_02_sfnt_off000158dd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x158DD 10780 bytes
SHA-256: f0434c1bb6658f5a90ba576663448232f371d76ea646333896c41177819c25c5