Malicious PDF — malware analysis report

Static analysis result for SHA-256 3172588aca3484f0…

MALICIOUS

PDF

77.0 KB Created: 2021-04-03 20:35:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: 7ad56c172d4a28ab05a2ee9744ffa819 SHA-1: bf966a66901a1c829a95a4c4619aee6d235e21aa SHA-256: 3172588aca3484f06bdbe26a25e82dde04c56e998957d6e04a49268aec828893
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URL pointing to a suspicious domain, likely intended for phishing or malware distribution. The document body, though heavily obfuscated, suggests a lure related to an 'accident report form'. No scripts were extracted, but the presence of an external URI and the ML detection strongly indicate a malicious intent to redirect the user to a compromised site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/award?keyword=esi+accident+report+form+12+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4369317/normal_60080b1f43ca2.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4476416/normal_60025a2122cb9.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/000aa8b6-b42b-45bb-b074-a96bf21ba7ee/black_ice_car_freshener_smells_like.pdfIn PDF document text
    • https://s3.amazonaws.com/dibedamoka/23835312110.pdfIn PDF document text
    • https://s3.amazonaws.com/musokejixami/12098728631.pdfIn PDF document text
    • https://s3.amazonaws.com/jeponowon/bokepinetosijupi.pdfIn PDF document text
    • https://s3.amazonaws.com/fejakixoweka/libro_de_balance_de_comprobacion_formato.pdfIn PDF document text
    • https://s3.amazonaws.com/nodetuxapabara/what_books_are_different_in_catholic_bible_and_protestant.pdfIn PDF document text
    • https://s3.amazonaws.com/lupebesu/diduw.pdfIn PDF document text
    • https://s3.amazonaws.com/jazofi/what_is_the_voice_bible.pdfIn PDF document text
    • https://s3.amazonaws.com/xumakomowi/music_an_appreciation_9th_edition_access_code.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/24ca249e-f665-44fe-8e18-f747b63de54b/how_to_join_special_operations_engineer_regiment.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/922fd3be-8c1b-4796-b29d-df643313eb34/89298316904.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/96975f54-de37-4e6d-bdf0-b95b9f937423/vokirofijemawotufuzi.pdfIn PDF document text
    • https://s3.amazonaws.com/timituvupame/what_is_the_average_salary_for_a_junior_project_manager.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/690180e2-dc21-44d5-9d6e-4809ca47e36f/74854275743.pdfIn PDF document text
    • https://s3.amazonaws.com/nojemi/avg_for_windows_7.pdfIn PDF document text
    • https://s3.amazonaws.com/zusevamasor/valunaputilagazasosomizok.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8af3e7b7-fe1f-461c-bc2a-b1eea009f255/59699705608.pdfIn PDF document text
    • https://s3.amazonaws.com/gezetega/romolakudeved.pdfIn PDF document text
    • https://s3.amazonaws.com/tonemakopinibem/wiperufadosigi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c1b5a0be-f095-4637-98ef-5fa851c445b6/how_much_is_john_grisham_worth.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eca5b93a-8858-461c-a4c9-b46fc7b45076/songs_missing_from_itunes_on_pc.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efbd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFBD 5412 bytes
SHA-256: fb24fd6fd5bd9fe15f617eb704d719e0be69533d64bf6390c6a6856ea7e41ff6
font_01_sfnt_off00010214.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10214 10668 bytes
SHA-256: df53bd5d446e81b2c51243ebd7966c5bfd8d285dcc58ec06dc4afc6a606dcf62