Malicious PDF — malware analysis report

Static analysis result for SHA-256 338cf0779a7893c9…

MALICIOUS

PDF

74.3 KB Created: 2020-11-14 05:39:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-02
MD5: 1b0b83dde8118a6ad31cada1055041d5 SHA-1: d3c115c1c2939b8705d98d8721f9aabb960dfbd6 SHA-256: 338cf0779a7893c98913a5af27250e891c17f95ec8f88ecc0292c40bba344c35
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?utm_term=kalashtar+dnd+5e+dndbeyond PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/mupukesunobaga/national_honor_society_bylaws.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/18e879d1-d401-4285-9018-585e801f6351/sesemodiwovigoke.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fbc6e40e-1036-42d6-8a2c-125eb988270b/gagatobosisivexawolo.pdfIn PDF document text
    • https://s3.amazonaws.com/divelatoxa/83826232677.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cfc0a2b0-51ae-4370-8527-f458dc22cffa/gumarumapizisosajafixas.pdfIn PDF document text
    • https://s3.amazonaws.com/mesixadelomomo/73933790296.pdfIn PDF document text
    • https://s3.amazonaws.com/gosete/koxurewujefubafepuzite.pdfIn PDF document text
    • https://s3.amazonaws.com/wiwuxot/finley_sharon_school_calendar.pdfIn PDF document text
    • https://s3.amazonaws.com/tonisefoteka/27152412199.pdfIn PDF document text
    • https://s3.amazonaws.com/zeworibuzoza/9206626933.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8d5cbbf-bd3a-481b-b70e-f000ba4dab38/fallout_shelter_download_pc.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de8910e9-1066-4a6e-b9ea-a6b5dce3924c/kavafuzuxigezilivunulabak.pdfIn PDF document text
    • https://s3.amazonaws.com/wujapu/11589017150.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0e5b7da6-a3ae-4ee3-aa8e-610bfcaa8c95/xudufinadubarekibagesu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/605fbb07-fc9c-4fca-90de-8d9055f397ee/61946304178.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/39b13890-1a54-4c5a-824a-dacfe7a5c863/discografia_pepe_aguilar.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d8c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD8C7 4988 bytes
SHA-256: 60f7950e32fcfa684384dd93b47b1a92d50788349ac5c20913ec0f4dcd54d6ce
font_01_sfnt_off0000e9b1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE9B1 10732 bytes
SHA-256: e3b164ea58ddcd277c351945614a167339aaec93d3d40a0ac8d944673a62c087
font_02_sfnt_off00010e3f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E3F 4324 bytes
SHA-256: cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34