Malicious PDF — malware analysis report

Static analysis result for SHA-256 49c046c13e1867a9…

MALICIOUS

PDF

68.0 KB Created: 2020-12-24 06:20:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 925b6643e2354aa1c65100db8109f3a8 SHA-1: d592418bf7bd1ee00537473306e807ea7b669899 SHA-256: 49c046c13e1867a9d9b5fe55c6c52f007a0bcb5b7b003084b882b819ae2ea814
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a URL that is likely part of a phishing or social engineering campaign, as indicated by the 'talking tom cat 2 online' lure in the URL and the ML classifier's high confidence score. The ClamAV detection further supports its malicious nature. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=talking+tom+cat+2+online
    • https://cdn-cms.f-static.net/uploads/4485929/normal_5fd779526f495.pdf
    • https://cdn-cms.f-static.net/uploads/4366952/normal_5f8755fb0be2a.pdf
    • https://cdn-cms.f-static.net/uploads/4458148/normal_5fa62fafa66d5.pdf
    • https://cdn-cms.f-static.net/uploads/4387814/normal_5fc10a7a30df7.pdf
    • https://static.s123-cdn-static.com/uploads/4372073/normal_5fded7a16f606.pdf
    • https://cdn-cms.f-static.net/uploads/4367938/normal_5fc373820a56a.pdf
    • https://cdn-cms.f-static.net/uploads/4382192/normal_5f8bf2c7c9aa2.pdf
    • https://cdn-cms.f-static.net/uploads/4365601/normal_5f99d2dea71ab.pdf
    • https://cdn-cms.f-static.net/uploads/4414873/normal_5f9b4319bc5ff.pdf
    • https://cdn.sqhk.co/rubekafux/biagejg/soxazaxelim.pdf
    • https://static.s123-cdn-static.com/uploads/4369648/normal_5fceb2a7e404f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e0adad17-367f-4d02-8c31-f690c8ace35e/levivujofufelevarepi.pdf
    • https://uploads.strikinglycdn.com/files/77eae4a7-6fe3-43da-bb42-4286b857dd7f/mr_doody_lyrics.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ce9c.bin
1f9f4665f72b6e5380c13f91ffe5875153ae5396c2f12222ed680af122a55b53		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCE9C 4988 bytes
font_01_sfnt_off0000df8c.bin
cde5fbb098fc742090a56be608e2b5d751a93846b4c39d272736f87625825b98		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF8C 10564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.