Malicious PDF — malware analysis report

Static analysis result for SHA-256 4159486b4f5587f7…

MALICIOUS

PDF

80.6 KB Created: 2021-04-01 04:46:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6be10e86a41e71333206f324fd09a5eb SHA-1: 76f7b98328425eb48c588c267f57dda649e76fbc SHA-256: 4159486b4f5587f7e48b5b36a63c695385839e4d6cca1145798d8d3a3a215480
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URIs, with one specifically pointing to a URL that appears to be part of a phishing or malware distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect the user to a malicious site for further exploitation or credential harvesting. No scripts were extracted, but the presence of external URIs is sufficient evidence for the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=calendario+uem+2020+pdf
    • http://vawadofofasip.getenjoyment.net/fejobud.pdf
    • http://pemufosapakem.mypressonline.com/what_jobs_do_interior_designers_do.pdf
    • https://cdn.sqhk.co/wakewafo/yGxibjd/zojubemijuv.pdf
    • https://static.s123-cdn-static.com/uploads/4407066/normal_5fc7452076524.pdf
    • https://cdn-cms.f-static.net/uploads/4383929/normal_6038e5961382d.pdf
    • https://static.s123-cdn-static.com/uploads/4489834/normal_5fed1b026d66a.pdf
    • http://bagidopivulo.mywebcommunity.org/dimipud.pdf
    • https://static.s123-cdn-static.com/uploads/4380379/normal_5fcf3c1db9653.pdf
    • https://cdn-cms.f-static.net/uploads/4464078/normal_60199f7b1042b.pdf
    • https://cdn-cms.f-static.net/uploads/4495395/normal_602167570ad44.pdf
    • https://cdn-cms.f-static.net/uploads/4380223/normal_5fdba1e5f1e21.pdf
    • https://cdn.sqhk.co/daposofoxig/hbVeljd/lisabusosidusekavugog.pdf
    • https://cdn-cms.f-static.net/uploads/4485305/normal_6061f9f8a1116.pdf
    • http://sipataj.sportsontheweb.net/tipos_de_almacenamiento_en_la_nube.pdf
    • https://cdn-cms.f-static.net/uploads/4411498/normal_60567e6219d01.pdf
    • https://static.s123-cdn-static.com/uploads/4370090/normal_5fe4119e0c703.pdf
    • https://cdn-cms.f-static.net/uploads/4489251/normal_601fd750ac350.pdf
    • http://wapividazofar.scienceontheweb.net/isms_understanding_architectural_styles.pdf
    • https://static.s123-cdn-static.com/uploads/4425487/normal_5ffd189f03e1a.pdf
    • https://cdn-cms.f-static.net/uploads/4461207/normal_6064e90d5fac8.pdf
    • https://static.s123-cdn-static.com/uploads/4376086/normal_5ff0631727493.pdf
    • https://cdn.sqhk.co/vetukalujir/1N5AxGe/84176664926.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://jisijuvod.myartsonline.com/usps_how_to_mail_international_letter.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dff0.bin
b4497f19d72e38959dd08e0b8adf2537787149229e0b6f87c47293e13aaac428		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFF0 5188 bytes
font_01_sfnt_off0000f176.bin
1b4216b538c0fd9843d5d93944d21bdddbaa3f12ffa05f63f9c89ecd2c8550e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF176 15100 bytes
font_02_sfnt_off00011dd7.bin
541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11DD7 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.