Malicious PDF — malware analysis report

Static analysis result for SHA-256 2952321b296fadec…

MALICIOUS

PDF

65.7 KB Created: 2020-11-18 02:55:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3729e8588c421cb01d846a0ae5bf8bbb SHA-1: e83f2d8d921522a0c31111a3502ab781c5d75edd SHA-256: 2952321b296fadecaa3ff11023d1975bc2c8b193ebea13ee6c584b57c7955a63
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely for phishing purposes. No scripts were extracted, but the presence of the URL and the ML/ClamAV detections strongly indicate a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/123?utm_term=unit+4+civil+war+and+reconstruction
    • https://cdn-cms.f-static.net/uploads/4388420/normal_5f95997848524.pdf
    • https://cdn-cms.f-static.net/uploads/4390324/normal_5fb4606dd3dfc.pdf
    • https://cdn-cms.f-static.net/uploads/4417033/normal_5f9bdbf980643.pdf
    • https://cdn-cms.f-static.net/uploads/4369923/normal_5f8bda79414c1.pdf
    • https://cdn-cms.f-static.net/uploads/4379610/normal_5fa1f44cab3ac.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sakaburepagase/69649468325.pdf
    • https://uploads.strikinglycdn.com/files/4aad611a-1a7d-499d-8dde-087cdc7b58e0/pandora_one_apk_cracked.pdf
    • https://uploads.strikinglycdn.com/files/9b122074-c119-4ea6-ac41-2e68fa45aba4/witufividupipofizituri.pdf
    • https://uploads.strikinglycdn.com/files/b1ac14f4-e6dc-4c73-b9bb-a66028e6f722/76664356678.pdf
    • https://s3.amazonaws.com/fasanag/official_bocce_rules.pdf
    • https://uploads.strikinglycdn.com/files/cffc1698-7458-4b8d-9000-24882e03a10b/download_google_chrome_os_iso_32_bits.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c513.bin
8596d4ea09c8aa5c2bc3fbe237455f12e538844bbce78a0bed98c3a8524e0d05		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC513 5164 bytes
font_01_sfnt_off0000d6d1.bin
17ecdb8f35478692869ea667159ede9989b1da027aaed6de0cedd27fc5dde585		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD6D1 10536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.