Malicious PDF — malware analysis report

Static analysis result for SHA-256 24f3b0fb083a9c87…

MALICIOUS

PDF

76.5 KB Created: 2021-03-31 22:08:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 4b22e86ae97449242c33010f46a27874 SHA-1: 3eed14b92cfe1ff8653642d9c808af7ba1c4cb73 SHA-256: 24f3b0fb083a9c8759ead703969be3ee16faf008693aab82f6dd345e0db695cf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=the+moustache+by+robert+cormier+summary PDF link annotation
    • http://idealica-italiaoficial.site/85398489647hnmip.pdfIn PDF document text
    • http://remastacer.com/86489252228oz3yz.pdfIn PDF document text
    • https://cdn.sqhk.co/peruvereraba/XH5idqN/teachers_assistant_resume_sample.pdfIn PDF document text
    • https://cdn.sqhk.co/pidagasew/kihgh3Z/7265219937.pdfIn PDF document text
    • http://airbin.top/3494548529xtgdg.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/12083793-c2ab-4ba0-9931-b9c57eb18e51/dewalt_pressure_washer_hose_3400_psi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/186856ba-ee6d-4186-8a81-f674cbee25d9/cessna_182q_service_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1543f3b5-f487-4ad0-b607-3820ed8571be/which_word_does_not_belong_with_the_other_two_likely_probably_possibly.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c538696-9880-4ed9-af72-acdfaeebe5aa/fallout_4_art_appreciation_bug.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/10e1db03-44c1-4c79-a4df-dd8040d19008/daderunamoni.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f941b931-953a-4431-8962-ba368aba279b/what_is_mean_by_household_income.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b861892-1825-4d18-95e4-4b76349d7111/bryant_plus_90_inducer_motor_replacement.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b66437f-7ab1-4601-af40-9fb72134027a/zovisozajefufidupo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0e90aea7-e1a6-4ef6-9ec2-fb960de8cbfd/the_aeneid_mandelbaum.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d209de57-cc57-40ff-a8bc-fd7392fae095/are_european_brown_bears_dangerous.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab3a4656-f4a2-4aaf-895b-15bea2f69ade/bsa_benefits_handbook_2020.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/42b28939-bd8f-4463-91df-996373cb47a3/how_to_get_power_of_attorney_for_elderly_parent_in_texas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b9d5de7e-8642-449f-a347-6ef0881d4d18/ford_mustang_gt_2014_engine.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50417e5a-b376-4298-ac14-1e7affe5d077/manual_em_portugues_alesis_midiverb_4.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7b047660-2e54-415a-8c64-80f53d48d4e3/xosezevoxakobifuwowikagu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/01cb75fe-d23e-4d93-9a9c-e2e288711af2/pifemexuxudoxekinuwaz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5a4113f8-5e16-4468-9130-bec60987ade9/dovipepidagifubugivazoj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6b8f0ea-91af-4e5e-81e5-d52bdffe0a62/tokolebomatusuk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e1c5e1bc-74eb-476e-80ab-edcb45387222/21576679111.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ef3e6aa8-c186-4f8d-ab9e-1b42cdafefe4/rumetilupoxugekerelob.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edde.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDDE 5200 bytes
SHA-256: 5f9540e1fbe4592cb1d7e700ae9c85f6fc0e23f74b34ef8f4316b5dc0beef80f
font_01_sfnt_off0000ff65.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF65 10400 bytes
SHA-256: 62bdb3236869d547e0d6c40cab28cd1548f6f721a43fbef16478247027dcbcef