Malicious PDF — malware analysis report

Static analysis result for SHA-256 49842fc2ba0aeceb…

MALICIOUS

PDF

74.5 KB Created: 2021-03-13 14:07:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-02
MD5: 8d67e390794baefdc5964f4aebd03cc0 SHA-1: edd9ee6fa2aa11c208296d98212e33780156bd98 SHA-256: 49842fc2ba0aeceb5dddb1f223587a567ef5c6bdcb449149acf65828a252237c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to 'jottigo.ru'. This URL is likely used to redirect the user to a malicious site, as indicated by the 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' heuristics. The document body appears to be obfuscated or corrupted, but the presence of the URL and the malicious classification strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/aws?utm_term=bose+acoustimass+10+15+pin PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4369936/normal_601378a26611c.pdfIn PDF document text
    • http://vijexibat.mywebcommunity.org/kuravojugova.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4389097/normal_5fe8822b65afd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4457281/normal_6041c74cd1b77.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480594/normal_601c5dadbfb04.pdfIn PDF document text
    • http://zokidinodajives.getenjoyment.net/vishnu_sahasranamam_1008_names_in_gujarati.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377936/normal_6020511a46183.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4cc845a-6f80-4c9c-be79-8c3e52ea2974/lovekarito.pdfIn PDF document text
    • http://gubadif.myartsonline.com/how_to_make_a_negative_person_happy.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/64913859-8e78-468e-84c8-9e23fde162bd/75370324540.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50e43227-84b1-4d2f-9364-6f067e9726dc/3013994664.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dc44ba01-d4c4-4050-b59d-4e3e53ece93a/anaconda_jupyter_notebook_-_change_working_directory_windows.pdfIn PDF document text
    • http://vumamuv.myartsonline.com/gamupife.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cb5b9827-b88b-4aa3-859f-8fad17291935/toro_snowblower_parts_primer_bulb.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/91931ecb-2a4b-4ded-ba78-1d42d5fe2939/1198656584.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/df2293f6-c73e-40f7-b4e0-9f39d92357c8/roxafowobipomibojijezup.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea086cd1-1534-45e6-b2ad-63ee2c45db72/sixomimejir.pdfIn PDF document text
    • http://vovojoj.atwebpages.com/google_sketchup_8_free_download_full_version_for_mac.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/32bae50c-4c4a-436d-94a0-53af7c58c95c/56221779325.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e25ca9fe-f1ee-45e6-9ed5-2547cb57c4b5/zojirushi_bb-cec20_parts.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cf63124d-728c-48e6-9deb-d9eb0f9a7fe6/61521321210.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f70b5ace-cd24-4f7c-b442-af5db441b57e/dudebuvupavutoruxelonof.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9cc60181-00af-4af5-8881-e7f32a9c3a60/88216856703.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4AA 5320 bytes
SHA-256: 1de6463d9169c25935d5e014d026a14bb8ed989a2c036f1721f3a63373088b75
font_01_sfnt_off0000f6bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6BB 10976 bytes
SHA-256: 0d28bd9b5a635986eb85938e6b4177912a337eac1005b9b9378ae09a1cd12d2c

Open this report in the interactive analyzer, or submit your own file for analysis.