Malicious PDF — malware analysis report

Static analysis result for SHA-256 316112d5ca1c0596…

MALICIOUS

PDF

80.9 KB Created: 2021-02-27 06:45:44 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23
MD5: c706da77b8628a6428ec62a9f84927d2 SHA-1: b6e4e8f6e269e151575a1977c6999dc4e121f859 SHA-256: 316112d5ca1c0596df56f1118ed43bd8f24b4b7e9ccb832366a97154778e751e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by a ClamAV detection and an ML classifier. It contains an embedded URI pointing to 'https://seumenha.ru/123?utm_term=hidden+valley+pool+rules', which is a strong indicator of a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/123?utm_term=hidden+valley+pool+rules PDF link annotation
    • https://cdn.sqhk.co/zemakojunil/gjAx26h/city_runner_java_game.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4420013/normal_60098a7a2fe01.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4406771/normal_6037f1eed356b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481539/normal_601dc77248d7d.pdfIn PDF document text
    • https://cdn.sqhk.co/vegedusovo/giejbjh/70213168643.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4471723/normal_5ff8b000caaf9.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4370529/normal_5feb9736288cf.pdfIn PDF document text
    • https://cdn.sqhk.co/nokotadi/ifhaDgi/spy_online_camera.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380883/normal_602d694a75a13.pdfIn PDF document text
    • https://cdn.sqhk.co/tavaxiwugo/3ihMggc/to_do_list_free_download.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475588/normal_600c60468b977.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/titugome/canyon_camera_software_free.pdfIn PDF document text
    • http://juludiripo.myartsonline.com/the_servant_as_leader_robert_greenleaf.pdfIn PDF document text
    • https://s3.amazonaws.com/rudelazifizuvo/it_inventory_checklist_template.pdfIn PDF document text
    • http://kosezofejesuxef.atwebpages.com/water_by_the_spoonful_full_play.pdfIn PDF document text
    • https://s3.amazonaws.com/mexijegedakol/vonoxelusimumudisalagud.pdfIn PDF document text
    • https://s3.amazonaws.com/jivagajamav/batetajuxatirijozoba.pdfIn PDF document text
    • http://vexolofifete.atwebpages.com/takaxabosusapi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f0ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF0EC 4880 bytes
SHA-256: 7567624595beb6eda6f2e08c91f724f700f8b22a88c67ec18cb62f84a8c23106
font_01_sfnt_off00010180.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10180 11340 bytes
SHA-256: e768249253b9841d2d05a38de39e136489f7cedfc4160aff2dcc4f9d22454d3b
font_02_sfnt_off0001285c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1285C 4324 bytes
SHA-256: d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378