Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d2f9c290d5ee570…

MALICIOUS

PDF

152.0 KB Created: 2021-03-20 10:13:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 93d4ff3a2e11172ae43d45edbbcf8f29 SHA-1: 682d4300724c339b1e22109c42f3b4a19901771a SHA-256: 3d2f9c290d5ee570bb7845e666f1d24ea443203647130c27e3343666f22c0f4e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, and it contains an embedded URL pointing to a suspicious domain. The PDF structure and metadata suggest it was generated by wkhtmltopdf, a tool often used to create malicious documents. The primary IOC is the external URI that likely hosts a malicious payload or phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=creating+shared+value+journal+pdf
    • https://cdn.sqhk.co/zibusisujij/Ygf3RTc/polovivinodogumabuma.pdf
    • https://wawawafux.weebly.com/uploads/1/3/4/8/134896626/10743.pdf
    • http://zozegakipuvi.iblogger.org/critical_thinking_skills_assessment.pdf
    • https://cdn.sqhk.co/rujiwujik/hibAgiG/67538361693.pdf
    • https://bomexufimewaw.weebly.com/uploads/1/3/4/5/134517434/1703651.pdf
    • https://cdn.sqhk.co/xojugako/d2gixge/what_does_god_symbolize.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/2c51fa09-e995-499b-ab7a-b27197cb3c3a/1587306029.pdf
    • http://fonaxijulobep.rf.gd/zavexotifagixiruxib.pdf
    • http://pijedawometuzov.epizy.com/learn_basic_thai_language.pdf
    • http://tipikirobis.rf.gd/63012655110.pdf
    • https://uploads.strikinglycdn.com/files/75469cec-3a67-45fa-9259-8d3d7b5dcad7/68808530780.pdf
    • https://s3.amazonaws.com/tezude/sefurajudusetogojevutas.pdf
    • https://uploads.strikinglycdn.com/files/e85f24b7-b8ec-469e-a2c6-8abab1b2c787/gemunolo.pdf
    • https://uploads.strikinglycdn.com/files/0eef03df-13d2-4134-8653-f52d5411df4d/what_distinguishes_the_setting_of_the_selection_the_way_to_rainy_mountain.pdf
    • https://s3.amazonaws.com/dudigonifu/kilajatikagi.pdf
    • https://uploads.strikinglycdn.com/files/400289e1-a80e-4efb-a83e-d60e0139b454/me_before_you_movie_download_in_hindi_480p.pdf
    • https://uploads.strikinglycdn.com/files/c40f5119-ac6e-435a-9936-d45b69ff65f8/vabawadepik.pdf
    • https://uploads.strikinglycdn.com/files/ff5a3c40-ab2f-49d2-9477-552314fc9e7f/60752678588.pdf
    • http://luwawabegopit.rf.gd/12007909081.pdf
    • https://uploads.strikinglycdn.com/files/418bbedf-651b-4102-bce5-f28608218704/ge_spacemaker_xl_1400.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001e4ac.bin
c64f98b8eb372393410997e14e10aab33c3b30cdd9b43e7e0d5719859cf0c75b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E4AC 5064 bytes
font_01_sfnt_off0001f642.bin
5cc9fada923a1ec4d036097222c4ad9feb4311f7dfdafd6a45bc0fa0881c1fb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F642 5344 bytes
font_02_sfnt_off00020876.bin
e686c79808e98d610998a786ce150dfeac15f88059bfc5dadd6af1d8706ed7ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20876 11792 bytes
font_03_sfnt_off00022fe1.bin
e93acd332f5893643511f4cefd38969ad5c744ad1b08842a788b6be7d277dd15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22FE1 16204 bytes
font_04_sfnt_off0002454b.bin
c019ad62c4ac44234b40b3454eb52e1c94a967d74f6270b8e1403479fc685b7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2454B 2916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.