Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d24b8030330913c…

MALICIOUS

PDF

240.6 KB Created: 2020-04-03 02:23:08 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6) First seen: 2020-09-24
MD5: 4a2c024b0fc96c9f10d2e16098cdbf6a SHA-1: d90d2eaeb1f124d4967c5d06c1c8ac7c1597202b SHA-256: 2d24b8030330913cffe088c985fa3a3a6b97d750b7b5e3e75122d4c075e68586
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file contains an embedded URI pointing to 'myytr.net', which is flagged as suspicious. The PDF_EVAL heuristic indicates the presence of JavaScript that is likely attempting to execute malicious code or redirect the user. The document body, though heavily obfuscated, contains references to the embedded URL, reinforcing the lure. The overall pattern suggests a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9911

Heuristics 4

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
    Matched line in script
       <rdf:Alt>
        <rdf:li xml:lang='x-default'>Caracteristicas principales de la edad media wikipedia.  «Medieval» redirige aquí. Para otras acepciones, véase Medieval (desambiguación).   Santa Sofía de </rdf:li>
       </rdf:Alt>
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://myytr.net/uploads/1/3/0/8/130874016/130874016.html#caracteristicas+principales+de+la+edad+media+wikipedia PDF link annotation
    • http://b-dogdesign.nl/uploads/1/3/1/1/131163859/2d2c45.pdfIn PDF document text
    • http://skyhawk.ph/uploads/1/3/0/6/130639145/xozevesoze-virozeli.pdfIn PDF document text
    • http://ashleighvaillancourt-winebrenner.com/uploads/1/3/1/0/131070393/danokuwet.pdfIn PDF document text
    • http://undobat.com/uploads/1/3/0/5/130543976/6629371.pdfIn PDF document text
    • http://letsgetrealationships.com/uploads/1/3/0/7/130775542/b103da1.pdfIn PDF document text
    • http://vineconnection.net/uploads/1/3/1/3/131398129/2762613.pdfIn PDF document text
    • http://kylomoon.com/uploads/1/3/0/9/130969016/fikijunepubedememu.pdfIn PDF document text
    • http://obrienfamilyreunion.com/uploads/1/3/1/0/131071129/wunaxebi-mebimeledup.pdfIn PDF document text
    • http://kimcoatesphotography.com/uploads/1/3/1/3/131379021/vatiduwalaka-xisisepolo-ninurafegil-mexatake.pdfIn PDF document text
    • http://hideawaybar-grill.com/uploads/1/3/0/3/130313188/gojerixejapozu_pewesodatikejin.pdfIn PDF document text
    • http://electrene.com/uploads/1/3/0/3/130379069/kumivawur.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00035f07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x35F07 12656 bytes
SHA-256: 77188958eddbcff9ed6a7ae5b1e5d2ab02daa914ab8ca0df74320323e88a9b5c
font_01_sfnt_off000387ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x387EE 6368 bytes
SHA-256: 5bff85bca6ca130273c853add52f99fcdf3306c1b4b26a793539d1589cd5cfc0
font_02_sfnt_off00039ba9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x39BA9 16036 bytes
SHA-256: 779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63