Malicious PDF — malware analysis report

Static analysis result for SHA-256 25a1c09318a6295c…

MALICIOUS

PDF

106.1 KB Created: 2021-05-12 13:42:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9486b949532320d1bacc81aecf53d581 SHA-1: 2252f3a4d9e31c39f0cd882414090f8dda858f98 SHA-256: 25a1c09318a6295c061e20c1adfaab7adabd62e5117432d7c4cc489e4f3ac9a0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, indicating a high likelihood of malicious intent. The presence of embedded URLs, including one referencing 'Attack on Titan', suggests a phishing or social engineering lure. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards an attempt to redirect the user to a malicious site, likely for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/strik?utm_term=attack+on+titan+season+4+episode+6+sub+countdown
    • https://xotomunekezej.weebly.com/uploads/1/3/1/0/131070571/5583971.pdf
    • https://vurigejowuzebad.weebly.com/uploads/1/3/3/9/133997249/japijuzesavad_gozizixiwodax_gubutuxodepuxe_xujivin.pdf
    • http://xuzerujagojagip.scienceontheweb.net/domibafigos.pdf
    • http://watogoda.mypressonline.com/a_study_in_scarlet_and_blue_spider_man.pdf
    • http://telovajov.medianewsonline.com/acceleration_problems.pdf
    • https://cdn.sqhk.co/sopaluwokaja/hdjghhY/sing_karaoke_online_karaoke_record.pdf
    • http://lofoporubatul.mygamesonline.org/balance_sheet_account_reconciliation.pdf
    • https://jerijumewatopod.weebly.com/uploads/1/3/5/3/135330781/b4d97bb3.pdf
    • https://cdn.sqhk.co/midipijikami/JeNRgfn/winterhawks_tickets_tonight.pdf
    • https://samalatedagunir.weebly.com/uploads/1/3/4/0/134040677/4366111.pdf
    • https://voxivunesiru.weebly.com/uploads/1/3/1/4/131407918/5701309.pdf
    • https://cdn.sqhk.co/gefimiwotux/dRMjghh/kusevizotapilatawanibef.pdf
    • https://cdn.sqhk.co/mazonixun/eVujaPe/t_i_game_alien_zone_plus_hack.pdf
    • https://cdn.sqhk.co/kaxejelun/Qhh7PiD/basolupededox.pdf
    • http://xesapuwax.mywebcommunity.org/discrete_probability_distribution_formula_excel.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fedorahosted.org/lohit
    • https://s3.amazonaws.com/tikofaketonub/paluxasebugizifi.pdf
    • https://uploads.strikinglycdn.com/files/14d3c4a2-ba41-41ca-b90b-3b3107763125/kenmore_refrigerator_model_253_troubleshooting.pdf
    • https://uploads.strikinglycdn.com/files/82d2d98f-0ec1-4030-85d3-6840cb2bd7b7/clash_of_kings_website.pdf
    • https://uploads.strikinglycdn.com/files/603ba47b-d4b3-46f9-9bed-46990b794751/what_does_a_central_processing_technician_do.pdf
    • https://uploads.strikinglycdn.com/files/38baf34c-f864-4034-8ed7-d73cc54401a2/21859838743.pdf
    • https://s3.amazonaws.com/juwofuxufijup/neet_2020_form_last_date.pdf
    • https://s3.amazonaws.com/bulalowisu/song_of_the_lioness_alanna_and_george.pdf
    • https://s3.amazonaws.com/saziwijaxodav/lead_like_jesus_book_summary.pdf
    • https://uploads.strikinglycdn.com/files/22d78151-7d1e-4062-bee1-582718fe481c/10892442934.pdf
    • https://uploads.strikinglycdn.com/files/a7cbdefb-8037-4088-8ed1-828f8b35c75f/30543172261.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011ad0.bin
4e4ed3e14ab6970f2ddc0913e1648a7d6095104dca3c14c9dad0c9fb012c7f88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AD0 5348 bytes
font_01_sfnt_off00012d19.bin
d5ecec3e822993868ba70e247019bcdb656a9fee58d620eb93bc70658e929280		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D19 3720 bytes
font_02_sfnt_off0001387c.bin
1f6af6b8a621ebf4e5f04c3060c999172d3c96d51eeb1acc121c9d12f3ad8d1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1387C 10112 bytes
font_03_sfnt_off00015afc.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15AFC 4324 bytes
font_04_sfnt_off000168fd.bin
665918d721a9ba8fd97e0799fbbb3aa8cc844cb1889531ecab201b6d872fcb6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x168FD 15920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.