Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a1d88e819fd7a18…

MALICIOUS

PDF

90.8 KB Created: 2021-01-29 23:49:46 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: fc15a562dfda58c18b67652250bbdd8a SHA-1: d4037fa419403f27f025628aa9219a713c1b5d8b SHA-256: 4a1d88e819fd7a18e3854bf3e9ac6d88ba7a09b8266c4a92499108cde62a4e87
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious external website. The ML classifier and ClamAV detection strongly indicate maliciousness, likely related to phishing or malware distribution. The presence of multiple embedded URLs suggests an attempt to redirect the user to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wb?keyword=soccer%20spirits%20seventh%20star%20wiki PDF link annotation
    • https://cdn.sqhk.co/xogudililavo/ehi3ge2/lenarevipoz.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495685/normal_5fefb8a28f4d3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379471/normal_5fd8cf88878b0.pdfIn PDF document text
    • https://cdn.sqhk.co/sesakiwewe/J8ifyIk/22527626999.pdfIn PDF document text
    • http://kosiwixiwumizu.iblogger.org/36424170232.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4464700/normal_5fc9557f6bcda.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4410989/normal_5fdcb58aac524.pdfIn PDF document text
    • http://juzajikadig.22web.org/vande_mataram_dance_performance_nidhi_and_neha.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380675/normal_6004fbb337598.pdfIn PDF document text
    • http://wakogapenubez.22web.org/lelakibimawewizod.pdfIn PDF document text
    • https://cdn.sqhk.co/moviferu/hbhjgfz/levuvixidagilaremewe.pdfIn PDF document text
    • http://xapepinozex.22web.org/qualified_business_income_spreadsheet.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://devisufuxuvit.epizy.com/7319416840.pdfIn PDF document text
    • http://vonolukover.epizy.com/wosazal.pdfIn PDF document text
    • http://zurekenalemone.rf.gd/7002753934.pdfIn PDF document text
    • http://pagikojezokatu.rf.gd/21471653036.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000102e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x102E2 5096 bytes
SHA-256: b449b589d3d00efc8e8047b416b06bada22d6497ae2f30980b7c6447486b3c9b
font_01_sfnt_off00011429.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11429 10980 bytes
SHA-256: 92baa1a58ce05dc87d14ab826e20b5b466e122050385cf68f2eadde7b70da656
font_02_sfnt_off000139ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x139EE 16220 bytes
SHA-256: 4d901a5703b37eddc79c048b506ac428237e71cd9dad73c1d07f23376767d9e0
font_03_sfnt_off00014f3d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F3D 4324 bytes
SHA-256: ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3

Open this report in the interactive analyzer, or submit your own file for analysis.