Malicious PDF — malware analysis report

Static analysis result for SHA-256 48f2790464af56a2…

MALICIOUS

PDF

76.8 KB Created: 2021-03-30 00:19:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: b7d6758200d32a1eddfc41d87ef3e7ee SHA-1: f290010a1f700ad23c3881547b2e3a720a90bb2f SHA-256: 48f2790464af56a2f5e6119a3c47222e327ca1025df1c78c9ffa1f5a8153f818
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'https://xajibur.ru/strik?utm_term=my+cloud+storage+8tb', which is likely a phishing or malware distribution link. The document body, though heavily obfuscated, suggests a lure related to cloud storage.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/strik?utm_term=my+cloud+storage+8tb PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4460457/normal_6053237bc23cf.pdfIn PDF document text
    • https://cdn.sqhk.co/fezifoxunif/6Ztjehe/ryan_kakao_friends_pillow.pdfIn PDF document text
    • https://cdn.sqhk.co/rolidofajug/8x2ghsf/weramewotusuposi.pdfIn PDF document text
    • https://cdn.sqhk.co/nikofejujel/TOmjhln/pabumuwu.pdfIn PDF document text
    • https://cdn.sqhk.co/tusufawenu/1Ehftie/cosmos_db_emulator.pdfIn PDF document text
    • https://cdn.sqhk.co/suwojixuwebi/i17NhgT/my_kutty_movies_collection_2015.pdfIn PDF document text
    • https://cdn.sqhk.co/fixeruzef/8Oibijc/let_it_be_piano_sheet_music_chords.pdfIn PDF document text
    • https://cdn.sqhk.co/jadilogivusa/yy7hdje/bohr_s_atomic_model_worksheet.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480383/normal_603294e7ccb34.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481406/normal_604f069dae5d6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/mafavuzenoliki/how_to_program_clicker_garage_door_opener_with_liftmaster.pdfIn PDF document text
    • https://s3.amazonaws.com/nelizenejakarug/midi_to_mp3_converter_for_android_apk.pdfIn PDF document text
    • https://s3.amazonaws.com/xupizewuxere/49715635913.pdfIn PDF document text
    • https://s3.amazonaws.com/nowokil/paladin_warlock_5e_guide.pdfIn PDF document text
    • https://s3.amazonaws.com/wekibik/management_skills_test_upwork_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/muvemasoxaji/medatamepuses.pdfIn PDF document text
    • https://s3.amazonaws.com/podawakumepewez/pomavijojiwo.pdfIn PDF document text
    • https://s3.amazonaws.com/zalisujezajaje/what_book_number_is_fire_and_blood.pdfIn PDF document text
    • https://s3.amazonaws.com/vazisi/how_to_compute_binomial_probability_formula.pdfIn PDF document text
    • https://s3.amazonaws.com/xisefowu/how_to_review_a_medical_journal_article.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eddf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDDF 5548 bytes
SHA-256: c9e83c1020ab007d26b8f7abde1b18534b4b19f10e53f5ecd9742ca4d9bf1015
font_01_sfnt_off000100d5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100D5 10904 bytes
SHA-256: d9efffb48bf0b79423377acc363c62d8a3fe0d33d6ce82ce714676590993f0c8