Malicious PDF — malware analysis report

Static analysis result for SHA-256 24eea8aa995315fb…

MALICIOUS

PDF

85.4 KB Created: 2021-04-12 03:31:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5f192f016d6f8cbb4acacb426ad70217 SHA-1: 9dbbcae9305ebdddec46c2ebb16bb65615c7df6b SHA-256: 24eea8aa995315fb9d22ba6a047bd5c5161c1babc1e207bdf3323380014e59b5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by heuristics and a machine learning classifier as malicious. The document body, though heavily obfuscated, suggests a lure related to a game, likely to trick users into visiting the malicious URL. The ClamAV detection further confirms the malicious nature of the file, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=how+to+make+wishes+in+last+wish+raid
    • http://kikababono.mywebcommunity.org/gipapimuxiwowejil.pdf
    • http://forajadafogaxuv.medianewsonline.com/apexification_review.pdf
    • http://ruzamaji.getenjoyment.net/dupematugejowabiweripo.pdf
    • http://duzusedolatepe.mypressonline.com/listing_agreement_clauses.pdf
    • https://cdn.sqhk.co/fusureviweki/iidgmEn/furniture_design_gallery_facebook.pdf
    • https://cdn.sqhk.co/gatavikap/KifgcTw/weekly_lesson_planner_template_free.pdf
    • http://napufokotipo.getenjoyment.net/what_is_the_definition_of_mental_toughness.pdf
    • https://cdn.sqhk.co/danajuva/ahehgeo/doordash_promo_code_2020_mcdonalds.pdf
    • https://cdn.sqhk.co/ritapabinap/hgidqZ8/toxowironutawirizexidomo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://3df06c22-1e8a-4082-8cc2-a0fdc0609706.filesusr.com/ugd/d86e81_850c1eaa9a3241ca84069f541d7e7c9f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/48c098a8-04cc-4793-9af0-6048a112c098/vijiwod.pdf
    • https://17851959-1482-4b49-8222-7b7b0c628459.filesusr.com/ugd/3cb679_4fd6f283e68445f2924c0a8546b545d0.pdf?index=true
    • https://d920bd67-dfaf-4c99-85b0-fcb8118dfb91.filesusr.com/ugd/383849_ce569be31f2e4349bb894434bc6f2625.pdf?index=true
    • http://tarepos.onlinewebshop.net/homelite_3100_psi_pressure_washer_troubleshooting.pdf
    • https://uploads.strikinglycdn.com/files/4c5e156e-346c-4370-b05b-7d3d5c810377/jolly_grammar_pupil_book_2.pdf
    • https://uploads.strikinglycdn.com/files/bb2ef49c-6034-4dc6-bed2-580186cc90df/16816146530.pdf
    • https://uploads.strikinglycdn.com/files/6be64c23-a7d7-47ed-b054-fc809e4577c7/bixit.pdf
    • http://telusomabufa.onlinewebshop.net/xemaxokululim.pdf
    • https://02687da8-bf2b-436b-a8ca-82c6e04513a5.filesusr.com/ugd/e48f8a_bfa5f89423e945039c3f12d3f73b657b.pdf?index=true
    • https://uploads.strikinglycdn.com/files/08277f48-4c61-4a66-a2b1-0a3a619148b2/subozupesilorizazudekodu.pdf
    • https://c5c27394-2042-4749-9b39-d1c24dcbd9f0.filesusr.com/ugd/e9b987_8af708cfac964a8b8f25bdb5e024d7a7.pdf?index=true
    • https://9fb0fece-6c2a-4f8b-8ff1-5d9ea67f5ee7.filesusr.com/ugd/f6a907_128a7d7b848f47bca156006cd11242f1.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010eb8.bin
dfdac97cca42750717243a9cf0ee14e50f10e90e002ae5965e4de06e4e614981		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EB8 5180 bytes
font_01_sfnt_off00012035.bin
cdf24253f7b2a74c33fa89db045c71552138c12061b664dca5748b83f25f9711		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12035 11128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.