Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e4254233dcfeb45…

MALICIOUS

PDF

78.0 KB Created: 2020-12-21 06:46:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 372f3b74eea4e6e1fc662be29283f87a SHA-1: 552bc161e7b74717978dd345ef5bdf63ac6a64a1 SHA-256: 2e4254233dcfeb4599bd491a40c2c33dd571567c38333daa487430059625b099
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is highly indicative of a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly support its malicious nature. The document body, though heavily obfuscated, contains text related to 'snake zone worm io 2020 mod apk', suggesting a lure for users seeking modified applications.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/strik?utm_term=snake+zone+worm+io+2020+mod+apk
    • https://cdn-cms.f-static.net/uploads/4407807/normal_5fb4a265cc297.pdf
    • https://cdn-cms.f-static.net/uploads/4501514/normal_5fb01965323b1.pdf
    • https://cdn-cms.f-static.net/uploads/4425915/normal_5fb554e42b2ff.pdf
    • https://static.s123-cdn-static.com/uploads/4489415/normal_5fc544fa07aec.pdf
    • https://cdn-cms.f-static.net/uploads/4467005/normal_5fd63c78a886f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/wesezuzuvalirik/donenabapisunavijibeninaf.pdf
    • https://s3.amazonaws.com/figidireki/oppo_a37_android_7._0_update.pdf
    • https://s3.amazonaws.com/potofaw/66161651641.pdf
    • https://uploads.strikinglycdn.com/files/2a2f756f-cbee-40ce-92d2-bc4d08931712/piponujumujumenotovaxewuv.pdf
    • https://s3.amazonaws.com/godoremitiwuja/6th_grade_reading_comprehension_test_nc.pdf
    • https://s3.amazonaws.com/migivewuwe/jevixepilor.pdf
    • https://uploads.strikinglycdn.com/files/1d2e89ce-7709-4915-b88c-e5f69af5998a/56766289078.pdf
    • https://s3.amazonaws.com/wajibile/how_can_i_write_22_in_words.pdf
    • https://uploads.strikinglycdn.com/files/792b964e-3973-434d-87eb-2f1ceb1b5d98/3000_solved_problems_in_linear_algebra.pdf
    • https://uploads.strikinglycdn.com/files/bbdb7c3d-9e60-459e-8890-5f352dc3f8ee/minuet_in_g_minor_sheet_music.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c6bc.bin
e3e01ecf909335f0b701527293c0a2247a60029f9d2aa37047baa59cca34a430		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC6BC 3044 bytes
font_01_sfnt_off0000d19b.bin
56b9f72790a23949c8e01efc2caffd1a4d2456b3ee3c4f31e64f84a4f87edd93		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD19B 5184 bytes
font_02_sfnt_off0000e329.bin
2950abf5a8cdf788232673bf858c95318c5563d3ee317d00db94248779a75667		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE329 10508 bytes
font_03_sfnt_off00010737.bin
9af6fc3bf9d751f70540aea0fa47faa159a3604992cda23d2adcda3ffc5346b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10737 16092 bytes
font_04_sfnt_off00011bfe.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BFE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.