Malicious PDF — malware analysis report

Static analysis result for SHA-256 4625d4b2277a1461…

MALICIOUS

PDF

79.0 KB Created: 2021-03-15 04:46:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: 15316b0871434e76193d42239998fbd7 SHA-1: 988c3023bfbd080df848b82e77c1487f5634ac80 SHA-256: 4625d4b2277a1461bfe3148ca51fde37534683217b0770acc90c1980bf1968b1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/123?utm_term=submit+form+using+ajax+and+get+response PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4417530/normal_5ff337a6eae35.pdfIn PDF document text
    • http://scoretdho.best/naditovenibigapufey3mtd.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4376611/normal_5ff78b5bc32d8.pdfIn PDF document text
    • http://devgame.design/33461645051ge2pg.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416150/normal_6043740833533.pdfIn PDF document text
    • http://apple-fruit.space/kazewcwa2u.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4464527/normal_5fc85a593742a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481173/normal_60189f66000a8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4472774/normal_603d11fd6bd5f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388412/normal_6014fe0a848cd.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/7cc0009b-bb04-47de-9d4f-c416980380f6/sink_drain_parts_diagram.pdfIn PDF document text
    • https://s3.amazonaws.com/wujapu/thomas_cook._caa._co._uk_claim_form.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/75d39a87-0b38-460b-948a-b72a9d40c557/bomepat.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1165a521-7837-44c2-bf63-10ceb4d1644f/vampire_diaries_season_8_episode_12_soundtrack.pdfIn PDF document text
    • https://s3.amazonaws.com/sirilagewuga/ff_bauer_grotesk_bold_free.pdfIn PDF document text
    • https://s3.amazonaws.com/lovetijif/lukugujiwak.pdfIn PDF document text
    • https://s3.amazonaws.com/sezewu/capillary_electrophoresis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0e7c2850-3e29-446d-8862-72e8fc5e0591/pharmacology_calculations_made_easy.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa63cebd-9efd-44c8-8fb7-2152494da468/60499790970.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ad968fe0-87e4-48b9-99bc-6ac043758e01/92443574162.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c73c0838-fbd9-41fa-a86f-16a5e8110545/twilight_saga_eclipse_full_movie_in_hindi_download_480p_filmywap.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc30e34f-dc2e-4aa9-aef4-70bc2f14451c/ciccarelli_psychology_5th_edition_chapter_2.pdfIn PDF document text
    • https://s3.amazonaws.com/kovilowab/21878989875.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f30e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF30E 5716 bytes
SHA-256: 9fa5de5389ddbf3873e4e78eb7d4d7b2ca6daae8154a3aacce33b84841ccc520
font_01_sfnt_off00010674.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10674 11732 bytes
SHA-256: 7fc57f82f91435a219caa07467ce6e67e0a62c23b58c0c8382fac3a3b2b705cc