Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d0d23a0118913af…

MALICIOUS

PDF

71.7 KB Created: 2021-06-08 14:00:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 478be8c0992891389e993e379a0f2641 SHA-1: 96499469f1c6ae8d655d4d869f1f55d379ee2e7d SHA-256: 3d0d23a0118913afe49b722d7f4bb227f6bc9985a25f3d7fdf1a296316840286
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating the presence of an external URI. The embedded URL, 'https://ketchas.ru/pbw?...', is likely part of a phishing or malware distribution scheme. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6313

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/pbw?utm_term=find+the+coordinates+of+the+circumcenter+of+the+triangle+whose+vertices+are+%2528-3+1%2529 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4427273/normal_600b1b4b7bee6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4418566/normal_5fdd4127736cf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4365560/normal_60bedfe981001.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4454968/normal_601dd1d7b1bb6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4419828/normal_603936606195c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412388/normal_601bc3fbc1035.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387814/normal_605557df9c9c5.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481275/normal_5fc6a762942ae.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486033/normal_6025324b66b2c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4422897/normal_5ff83305d94da.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4421365/normal_600680a97f01a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412573/normal_6024921978e04.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465136/normal_6006cc1ec12ed.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4385011/normal_5fed7b2838718.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468536/normal_5fd66ee95fe8a.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4401545/normal_5fe58c94871f8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369919/normal_600b58ebb5048.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4479705/normal_5fd8d0372c7ad.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424997/normal_60329b5f9aaee.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421214/normal_6056774a510d6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4478137/normal_6022d8af74d19.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/bd318228-d33a-4e04-8631-f28367efcfb6/kasadepokopigewep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2ace617-8145-4a2c-af10-fe44e121f356/44179495656.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df9e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF9E 5944 bytes
SHA-256: e2d2bc2a4becb9b1daaba1b12101e332fe485e2b8cfd8f0661af08d0f0882779
font_01_sfnt_off0000f3e9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF3E9 11232 bytes
SHA-256: d360d00cea55d9a57d4dfe6edab4b5c7b3be5a613cacc87ae2217428fc8e5495

Open this report in the interactive analyzer, or submit your own file for analysis.