Malicious PDF — malware analysis report

Static analysis result for SHA-256 44031e4c801d9f14…

MALICIOUS

PDF

58.7 KB Created: 2020-12-23 04:44:34 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: bd43756782e06f1e90d2a011f0af2705 SHA-1: 9c7a9c4133ad79372115e8838cc30fda40a42eb6 SHA-256: 44031e4c801d9f14931301e94cddb85e242de6b847b1f0dd4ca6a011a29044ee
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure related to song lyrics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/strik?utm_term=my+sweet+angel+lyrics PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4374517/normal_5fb99e2517a9e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/rokuwapesu/2457699505.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/494627d5-3dfb-4fc9-b733-a5fe6030abb4/62743462864.pdfIn PDF document text
    • https://s3.amazonaws.com/muvevanepen/battlefield_2_midway_map.pdfIn PDF document text
    • https://s3.amazonaws.com/fusidejebi/fodowagasaparo.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc670f98ef7301f8b370534/t/5fd6c69dffab5d3c5609a2d7/1607911070076/28774202308.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fdc826ac3cfda2dcf0aa550/t/5fdd01108f6511759102c41f/1608319249321/adobe_photoshop_express.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac6dd467-93be-4b69-b5e5-9dabceb156ad/a_carol_christmas_musical.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c5f7715-75c3-46c0-a7bf-fc39ea2d28b1/rasikibigomapajuxavuj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/029fabd3-00b3-403d-a6da-df141694e983/ap_biology_biochemistry_test_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/69527044-367a-42b4-9764-0d1ed9ce7b64/xukijuxidina.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4220ac79-9a04-4f4d-ac44-e75ea1526724/updike_ap_summary.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000aaf9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAAF9 5168 bytes
SHA-256: 935bbec11b9c8773b252b40fd93e3f4f6d21eb54f8591f4408cebbc754e57c5e
font_01_sfnt_off0000bcc0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBCC0 9916 bytes
SHA-256: 756765ff844684a58bca041525bc27ec9ad05462eccbbfa6b29344bcf1ccd3eb