Malicious PDF — malware analysis report

Static analysis result for SHA-256 22db278771add980…

MALICIOUS

PDF

95.3 KB Created: 2021-06-02 02:02:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 700aec492caa3bd560b639f512eb203b SHA-1: 8c3048fdb9943445cfb212520be1ef7799b0c9f7 SHA-256: 22db278771add980ed676eebced0136d1a29a66cbf4c0dfcde085420a800dcce
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a URL that suggests a lure for downloading content. The presence of an external URI points towards the download of a secondary payload, likely a trojan or phishing kit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/pbw?utm_term=basit+ingilizce+turkce+hikayeler+pdf
    • https://static.s123-cdn-static.com/uploads/4471688/normal_5fc5eacb201d2.pdf
    • https://cdn-cms.f-static.net/uploads/4375209/normal_60164369834d9.pdf
    • https://cdn-cms.f-static.net/uploads/4481058/normal_603e8aaf701ef.pdf
    • https://cdn-cms.f-static.net/uploads/4505837/normal_604935617255a.pdf
    • https://cdn-cms.f-static.net/uploads/4461773/normal_6056cfd7e10f3.pdf
    • https://static.s123-cdn-static.com/uploads/4366980/normal_5fed3a03a0a91.pdf
    • https://static.s123-cdn-static.com/uploads/4377912/normal_5feeadd41ee5b.pdf
    • https://cdn-cms.f-static.net/uploads/4459939/normal_60500f83da2c8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://negovijalulu.pbworks.com/f/bawinukodopunesewowi.pdf
    • http://gudikijuruf.pbworks.com/f/vazanaxadosoguxedolekemib.pdf
    • https://uploads.strikinglycdn.com/files/aa115dd5-0321-42bd-930a-5edd576f015e/wurizozuwafinerugotidazuj.pdf
    • http://refarumiba.pbworks.com/w/file/fetch/144474519/wadorofobajewamoboxuwopo.pdf
    • https://uploads.strikinglycdn.com/files/999ef928-a1d1-4b59-8af2-92dff5c6001f/what_is_togarashi.pdf
    • https://uploads.strikinglycdn.com/files/a2f0e888-27e4-4338-a4a9-50f3d95a3b26/42655330294.pdf
    • http://wuxikadafi.pbworks.com/f/reading_plus_level_k_answers_silver_wings.pdf
    • https://uploads.strikinglycdn.com/files/d581ef95-fb4c-42b9-84bb-80d41bb44e9d/17311283864.pdf
    • https://uploads.strikinglycdn.com/files/37444601-5f47-46ba-a6c7-9a1928c850fc/aqa_gcse_biology_paper_1_may_2019_mark_scheme.pdf
    • http://wefolevemud.pbworks.com/w/file/fetch/144481107/power_pamplona_friv4school.pdf
    • https://uploads.strikinglycdn.com/files/9469d45b-c944-44cc-abe5-c1e8dfd97d9f/golozil.pdf
    • http://zewalar.pbworks.com/f/moxufisujexuvibibugekatag.pdf
    • https://uploads.strikinglycdn.com/files/3f497a38-95e5-4428-88d9-593f1e196c58/what_does_a_rag_doll_represent.pdf
    • http://jutifakukap.pbworks.com/w/file/fetch/144483270/beguriga.pdf
    • https://uploads.strikinglycdn.com/files/075a92e8-824a-4bb0-a1ee-207541e25b9e/vw_new_car_dealers_near_me.pdf
    • http://sofutikajen.pbworks.com/f/solucionario_libro_matematicas_aplicadas_a_las_ciencias_sociales_1_bachillerato_sm.pdf
    • https://uploads.strikinglycdn.com/files/f46d510e-b588-4b80-a582-1d2a8ccdace2/fufosudijupatuletipubegi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013519.bin
adbd8c4dd3aaefc26e1c316420e20c9142e177e7ad9565afca6994d1d728d2d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13519 5680 bytes
font_01_sfnt_off00014886.bin
e52ebb5c19b4610748b9b24466b1ee8afc58f3101e03663b42da43517120f0e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14886 12184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.