Malicious PDF — malware analysis report

Static analysis result for SHA-256 3be9aaafbdc138da…

MALICIOUS

PDF

34.8 KB Created: 2020-04-08 09:48:34 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: e8afcc0045bafb8b0ac1b33b7b9da3e8 SHA-1: 42181b5ab232048c1f5378791380d6324c144948 SHA-256: 3be9aaafbdc138da0558c4e83828e99e69612b232f4eb2ef24c4bb5baa336d1e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The file is a PDF document detected as malicious by ClamAV and an ML classifier. It contains multiple embedded URLs pointing to external PDF files. The document body, though partially garbled, includes text related to data interpolation and references the wkhtmltopdf tool, suggesting it might be a lure to disguise the malicious intent. The primary attack pattern involves directing users to download and potentially open further malicious content from these external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-8722583-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8722583-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rockstarconsulting.net/uploads/1/3/0/7/130738725/130738725.html#formula+para+interpolar+datos
    • http://cindihinch.com/uploads/1/3/0/7/130740510/xuluzimine_segugubano_fesigabiwaxol.pdf
    • http://thewisent.com/uploads/1/3/1/3/131383825/gowud-salepewagudoj-rumofut.pdf
    • http://drivenlife.net/uploads/1/3/0/7/130775370/4383271.pdf
    • http://www.gaiatreeshala.com/uploads/1/3/1/3/131381706/a0ba8dc0.pdf
    • http://cameronpoydras.com/uploads/1/3/0/9/130969421/jotumulivegivaven.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f04.bin
f45b6acdee6a2a6bce5ff0e2f89e715b7721e436393dd6c76a5a50ff4d44ad3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F04 8632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.