Malicious PDF — malware analysis report

Static analysis result for SHA-256 42157a2a5467e5a9…

MALICIOUS

PDF

76.2 KB Created: 2021-06-09 11:35:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 54a1a0a7309b97d8933e1dcd47356134 SHA-1: e4db9987aee7b5f6b9ebd0c71fd2efda7bb557c0 SHA-256: 42157a2a5467e5a92ea8b57a348cef5da06069f236b7494fe59a3ae51ed157cf
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8022

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/pbw?utm_term=comfort+zone+psychology+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4484118/normal_5fea361c31cc2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4463788/normal_60b9b90d87db1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4505358/normal_603142d0297cf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4453743/normal_602b614912fa5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4450356/normal_60420b3d60874.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4393641/normal_5ff8bcd53e2f1.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4419650/normal_5fcf6bc085c98.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4469359/normal_5fca6ef220789.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378606/normal_6030a252d851e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4424361/normal_5febb7b3055ab.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4383322/normal_5ff925f8f221e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4471514/normal_5ff7f6160a551.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369765/normal_602abd97e3342.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4458628/normal_5fcf4491e8cf5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415962/normal_604dacf139bed.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446260/normal_602fb38e40751.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412380/normal_60377e611786d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374368/normal_6054847a78484.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://jizakatum.pbworks.com/f/lalibekisujabodijel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/229f64a6-f45d-41b1-8a5d-bcf691619aa0/lusutuzuzejowilaw.pdfIn PDF document text
    • http://xuwedateredu.pbworks.com/f/python_programs_for_practice.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7413d394-51ec-4b5e-9fca-8b020647376a/maytag_bravos_washer_stuck_on_sensing.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/960e9858-bff9-4101-926f-66c681091c37/1996_jeep_cherokee_sport_for_sale.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5e0357a8-28db-4b48-8da8-5f5dda40c9d9/nedegoti.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010914.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10914 5416 bytes
SHA-256: a775c1f660a3d8331e424e492503416aba72755ec5ca8a75d733470332270036