Malicious PDF — malware analysis report

Static analysis result for SHA-256 31b6b382cc255e30…

MALICIOUS

PDF

83.9 KB Created: 2021-03-02 10:45:52 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-14
MD5: de31186f91ed90b2102326fd5c6fb9ad SHA-1: 26e325379fa9f3fbdc64cb580d6bf6c3a6755401 SHA-256: 31b6b382cc255e3082c272c586b43d996e421111f86f9b01d307847e0b015623
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an external URI and a heuristic firing for a download button, suggesting a phishing or social engineering lure. ClamAV detection and an ML classifier further indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and external links are commonly used to deliver second-stage payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/award?keyword=ti-84+plus+ce+games+download PDF link annotation
    • http://nokasosozigof.mypressonline.com/keto_recipes_for_beginners_australia.pdfIn PDF document text
    • http://xijogeziku.66ghz.com/22972629058.pdfIn PDF document text
    • http://rixorevu.getenjoyment.net/scott_pilgrim_vs_the_world_cast_brie_larson.pdfIn PDF document text
    • https://cdn.sqhk.co/jalosemuv/43wYp84/bezakikugobibufemoxori.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4484376/normal_6019fee85970d.pdfIn PDF document text
    • http://dotavulilego.mypressonline.com/kaplan_mcat_2020.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4410679/normal_5fc8c4650c0b2.pdfIn PDF document text
    • https://cdn.sqhk.co/lorotukogof/ictha59/pusezajaziraf.pdfIn PDF document text
    • http://dakisemakegag.sportsontheweb.net/kenmore_gas_oven_repair_manual.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489846/normal_6029040ef2b5a.pdfIn PDF document text
    • http://zomaragexavope.sportsontheweb.net/19224486103.pdfIn PDF document text
    • http://tigatixe.iblogger.org/warajomiloduveduna.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/gurupixabogivaz/what_is_the_best_drug_for_happiness.pdfIn PDF document text
    • https://s3.amazonaws.com/xoferuzu/99978835548.pdfIn PDF document text
    • https://s3.amazonaws.com/xetasif/moxumejik.pdfIn PDF document text
    • https://s3.amazonaws.com/votubukaxogilix/xogaranemotolev.pdfIn PDF document text
    • https://s3.amazonaws.com/pukaridimupo/61460566820.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f452.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF452 5456 bytes
SHA-256: b065691d04bc7510aff20f177f7e2ac45e404251b206cbdcd2752bb1108b2a9d
font_01_sfnt_off000106dd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x106DD 14436 bytes
SHA-256: 327c7be34e8c75600ec63ed4219b3737fc416dd1fa1ec04887cecf2a4cecc217
font_02_sfnt_off00013413.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13413 4324 bytes
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176