Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d14e34a68b472a6…

MALICIOUS

PDF

83.0 KB Created: 2021-04-03 01:51:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b30a3d268a7f239539ce1471b852c98c SHA-1: 54133b464f7cc213c6d25c3687f5fa6b070e9da7 SHA-256: 2d14e34a68b472a6fe9381b3ed04fec8ad84f3b3e24f24d6fce35ab72b164a0e
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The embedded URL points to a domain associated with phishing or malware distribution, disguised as a 'burger king coupons' offer. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/award?keyword=burger+king+coupons+pdf+2020+m%25C3%25A4rz
    • https://cdn-cms.f-static.net/uploads/4417662/normal_600cedcc5d09e.pdf
    • https://static.s123-cdn-static.com/uploads/4393208/normal_5fcbac1287103.pdf
    • https://cdn-cms.f-static.net/uploads/4393628/normal_604fe98bd8a90.pdf
    • https://cdn-cms.f-static.net/uploads/4450337/normal_600d30a3bd382.pdf
    • https://cdn-cms.f-static.net/uploads/4488809/normal_601c64e8ce3cf.pdf
    • https://cdn.sqhk.co/gujuvizaja/iAjexiv/build_your_world_lite_uptodown.pdf
    • http://wisecreditscore.info/tejusimaxogitvhy5.pdf
    • https://cdn-cms.f-static.net/uploads/4383147/normal_603c87aeeb0d0.pdf
    • http://7lessons.website/8175580910v096l.pdf
    • https://cdn.sqhk.co/rasetiwulipu/ogegidE/35298902730.pdf
    • https://cdn.sqhk.co/wubunepan/a6Po4WJ/how_to_make_a_homemade_cloth_mask_easy.pdf
    • https://cdn.sqhk.co/zifeduwa/h9PNiaf/10309901127.pdf
    • https://cdn-cms.f-static.net/uploads/4417662/normal_600d55297a76c.pdf
    • https://cdn-cms.f-static.net/uploads/4367944/normal_60407c86c3ecc.pdf
    • https://cdn.sqhk.co/xogixute/qjcvxFc/deadly_medieval_arena.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://76a725e8-946c-4ae9-9249-cda469d35108.filesusr.com/ugd/83c8cc_41bf85e514624038b4aa345de6f1e725.pdf?index=true
    • https://a1d3e036-d9a1-4be1-9d2f-eedbb581cb22.filesusr.com/ugd/3ce946_dd47b8b6911f4d9f840e004fb697d4a3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/def6a630-51e0-499d-876d-709d65a2f4d2/the_new_encyclopedia_of_modern_bodybuilding_wiki.pdf
    • https://uploads.strikinglycdn.com/files/6db3cc2d-10d7-4900-bd7e-d3a48c0c6e82/gimp_2.10_10_tutorial_deutsch_anfnger.pdf
    • https://uploads.strikinglycdn.com/files/93e7d556-c94f-489d-be58-f990b69bf123/siweneverobulejem.pdf
    • https://uploads.strikinglycdn.com/files/7b047b2d-5ba7-43c3-a62d-c0eec846cbbf/meaning_behind_adele_someone_like_you_lyrics.pdf
    • https://16e729f2-8c5c-4787-b670-14aeba6c5e03.filesusr.com/ugd/ac55e2_5a19dab083ec4695ab0da2bb790afa1a.pdf?index=true
    • https://b0b89e74-75d6-43b0-bb8f-fa2cd9bd5f5b.filesusr.com/ugd/b5ae3e_8cf94e1bde1348178be65b853f55fdf6.pdf?index=true
    • https://61df3396-90b5-4b69-a3ae-475c9da6ebc5.filesusr.com/ugd/516574_dd9085a291e54950abf1a8c9562b02a8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c17940c9-7178-416b-a089-bbd6c5660747/2005_honda_rancher_350_tire_pressure.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eee8.bin
56c2d52b079f69994ca5ae00a12e891b2a3291c038b10affcd85e446b46f1efc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEEE8 5708 bytes
font_01_sfnt_off0001023f.bin
f5321cd5429e795b323d0b064bdfd2f2360abb1e807b14917b7609932e7e1e38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1023F 13896 bytes
font_02_sfnt_off00012e22.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E22 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.