Malicious PDF — malware analysis report

Static analysis result for SHA-256 367caf3a05fdbfdb…

MALICIOUS

PDF

76.7 KB Created: 2021-03-24 05:50:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be06ed21297c4d3d5b25ddb496a612bb SHA-1: 6899e010cd4f477db7dcea43c26ab951c7bc15ce SHA-256: 367caf3a05fdbfdb2ab38a66850edfee6f85faded3bfdf7359480b9108ff13d5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document body, though heavily obfuscated, contains references to 'cnusd canvas login' and the authoring application 'wkhtmltopdf', suggesting a phishing lure. The embedded URL 'https://zajinet.ru/wix?keyword=cnusd+canvas+login' is the primary indicator of this phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=cnusd+canvas+login
    • http://tixesikixux.mygamesonline.org/bin_sachivalay_clerk_paper_download.pdf
    • http://jozipuvuwuzaj.mywebcommunity.org/can_you_get_american_truck_simulator_on_ps4.pdf
    • http://dogalijun.scienceontheweb.net/zimulajuva.pdf
    • https://cdn.sqhk.co/sigidezok/hfOOqii/28814541368.pdf
    • https://cdn.sqhk.co/botonerepap/bOr2thb/air_fighter_games_apk.pdf
    • https://cdn.sqhk.co/lojewewure/hajhiaE/alternative_fuels_book.pdf
    • http://jedomagisuw.getenjoyment.net/rosudajiboxatokuwiritex.pdf
    • http://letaraluzim.scienceontheweb.net/85788754862.pdf
    • https://cdn.sqhk.co/kugefiruxat/0gcf0hh/followers_timeline_on_facebook_stops.pdf
    • https://www.cnusd.k12.ca.us/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/69ce4e79-f447-4960-958f-970b2859f315/burning_a_patch_in_airsoft_meaning.pdf
    • https://69f1164a-dcd3-4310-9fb4-3b67f03bdbb0.filesusr.com/ugd/9d7282_548fd06590e149fba10256cb02beca64.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f8e9726e-a367-453a-b183-d60909175fd0/puguf.pdf
    • https://7f1158f2-e44e-4cac-991a-806210d1dc3e.filesusr.com/ugd/e4a8e1_da8c1d843c7f4d32a6bc8ba0d15ce35f.pdf?index=true
    • https://2065f6f1-29fb-48ac-a230-4f4ab2d4b746.filesusr.com/ugd/b62953_38971e0bbe1943b995b9636bc50e7390.pdf?index=true
    • http://pawuzax.onlinewebshop.net/guverevu.pdf
    • https://uploads.strikinglycdn.com/files/a71682a9-d2c7-4db3-a36d-ba76a0432b36/78875054021.pdf
    • https://a4346b84-4611-49ab-b113-80c9188ca613.filesusr.com/ugd/078c79_678360c916e445df9d80f7bed3010aa2.pdf?index=true
    • https://68e1e3d4-268d-49bc-a8aa-b119cb10fea7.filesusr.com/ugd/3ceeb9_697ca0fe2dc0458e8cd21f77c257a5bd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1c87e269-8b0a-4932-8c8a-5a9e2121a74f/crossfit_workout_calendar.pdf
    • http://bolirazebaf.myartsonline.com/16628138493.pdf
    • https://c1bbde11-5cda-4f7c-8b74-b2fe90b484f5.filesusr.com/ugd/1c8c6c_3f74e0edacd047adad58be64dfdbd0c2.pdf?index=true
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_565987fdb7b54ee990092b07002022d8.pdf?index=true
    • http://sefokirof.onlinewebshop.net/63962329565.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eb89.bin
c6e8ddb0ac6afbf58da93e48289e5f0d00fdc8130414baeae8b39d03531948de		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB89 4976 bytes
font_01_sfnt_off0000fc91.bin
1997ee8dae4b16cfcb4e6eefd3e26c132eb532337aba5c6758002205f4eeb21d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC91 11520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.