Malicious PDF — malware analysis report

Static analysis result for SHA-256 278860a771510b75…

MALICIOUS

PDF

70.0 KB Created: 2021-03-29 00:21:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: af3f412bf7e708e42a8641d8d73cc400 SHA-1: 7b8cc7cfd8ffbb19ba01e2cdb5aa4fa7cc985e23 SHA-256: 278860a771510b7587e1d208a5f152a608eb3dbc9f264f8d075bb8494af06319
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'https://jacksth.ru/strik?utm_term=evod+battery+not+charging', which is likely a malicious link designed to trick the user. The document body, though heavily obfuscated, appears to relate to a product issue, reinforcing the phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=evod+battery+not+charging
    • https://cdn-cms.f-static.net/uploads/4375521/normal_602b529bbb31d.pdf
    • http://dizititakozazi.mywebcommunity.org/32052678687.pdf
    • https://cdn.sqhk.co/mewobonovagi/hhjfFij/30224537362.pdf
    • https://cdn-cms.f-static.net/uploads/4446378/normal_603e98b327579.pdf
    • https://cdn-cms.f-static.net/uploads/4473056/normal_5fda160162770.pdf
    • https://moninedowilex.weebly.com/uploads/1/3/1/4/131436981/belavemikodamitaxe.pdf
    • https://static.s123-cdn-static.com/uploads/4391326/normal_6002071c4151b.pdf
    • https://cdn.sqhk.co/mivadunoxo/iI7TOrS/60994933978.pdf
    • http://tafugegajotu.mygamesonline.org/12044607384.pdf
    • https://jitolubupiloz.weebly.com/uploads/1/3/4/6/134637312/6865772.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/gogoxowiniza/83271991496.pdf
    • https://65d0a56f-4074-4e8f-9acc-29e6f8e8f663.filesusr.com/ugd/37655d_22a8ad20e05d44c3ae006e3a50f5b9e2.pdf?index=true
    • http://teropisarazo.myartsonline.com/50487175610.pdf
    • https://4b4b92a8-4ac5-4030-97d5-af0917f8c077.filesusr.com/ugd/0251f0_5be7a9d66af5442eae973c7bb4dc9fa5.pdf?index=true
    • https://s3.amazonaws.com/tawosutosuxi/13262523793.pdf
    • https://s3.amazonaws.com/womirofop/banjara_movie_mp4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d4db.bin
11c15ea415ec210fa765bd227741cacbdd66d251b9f86defe0bd97688334d214		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD4DB 5248 bytes
font_01_sfnt_off0000e6c4.bin
23a9de22e3b377cd1201a8494f5ca3648f1d81b6196e5fc06ef97b357a1e2095		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6C4 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.