Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c1cef28dc4b0e90…

MALICIOUS

PDF

73.4 KB Created: 2020-12-15 20:23:06 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: a5390230f7f8caee2314d0616ea94c40 SHA-1: d32d5261f17d7f2bb9c8061bba97a852c262a6b6 SHA-256: 3c1cef28dc4b0e9050060fc2ced2ae8187d33438793657a2949105fe7506b5b7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/strik?utm_term=you+are+a+badass+book+pdf+in+hindi PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4378836/normal_5f8e345ed21b0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4478146/normal_5fd1600db1140.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501041/normal_5fbd2e11d26c4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470677/normal_5faffdd9e3f79.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446390/normal_5fa0a3c7d4546.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375340/normal_5f8e7bbba918a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481695/normal_5fb2664bd1446.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://uploads.strikinglycdn.com/files/997dec8c-8429-4a8c-91c2-78e6621c5b80/pomosu.pdfIn PDF document text
    • https://s3.amazonaws.com/gofilafixu/walton_county_fire_department_jobs.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc042db8787e8798968ae67/t/5fc2a6273570fb44d159c8e7/1606592042501/66363220909.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc00570a3bf4b14aba44e61/t/5fc0e62b145a8629dcd1ff93/1606477356286/temajujetuxijub.pdfIn PDF document text
    • https://s3.amazonaws.com/xarojapi/clinical_anatomy_of_the_eye_richard_snell_free_download.pdfIn PDF document text
    • https://s3.amazonaws.com/jemazejodep/verujadixemulab.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c6990787-2e8d-42c6-ada6-6f97c684609f/18579440043.pdfIn PDF document text
    • https://s3.amazonaws.com/tesasubawalozan/zinunazojononu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c8c3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC8C3 5260 bytes
SHA-256: 528699734ab9aab5ee20886e9cc97506cab40a36dfd75407e6dd15e5f6dfc343
font_01_sfnt_off0000da99.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA99 10308 bytes
SHA-256: 42d84da148daa594eaf69aaec13b2e9b157a7c5fd46dd590a7114bc4b86c1d6f
font_02_sfnt_off0000fe2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE2C 7880 bytes
SHA-256: b702363ec71f9274807ce3a5d65fc268e09476ceed477fcbec85b516184889b6