Malicious PDF — malware analysis report

Static analysis result for SHA-256 4baa132c34b84ba7…

MALICIOUS

PDF

243.4 KB Created: 2021-05-28 12:25:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 5f94ef7f3f013702e92f3eef457d1355 SHA-1: d9a59f942b4abb01570dea61cffbb45b2d0f6060 SHA-256: 4baa132c34b84ba73ac969d7aa4981e11cade3c78c86e6c47cb1510fb90c420d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9160

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/123?utm_term=cateye+padrone+wireless+bike+computer+manual PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4386621/normal_5ff20d8a0d0f4.pdfIn PDF document text
    • https://xelemuzeb.weebly.com/uploads/1/3/7/5/137501053/8530009.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375700/normal_60515e08990dc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376621/normal_605c001ea4fee.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4418777/normal_60b02e136126b.pdfIn PDF document text
    • https://xaberekulokoka.weebly.com/uploads/1/3/1/8/131856377/xigas.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408996/normal_6047db34d5340.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418777/normal_60375a681b2b6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4379049/normal_600123c3d29f9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480382/normal_606c6d9419008.pdfIn PDF document text
    • https://tidurikax.weebly.com/uploads/1/3/1/8/131856133/8443031.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451027/normal_6030cf390b339.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369656/normal_604dc863496a1.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/281410cb-b0ab-4734-8a26-ad53d212efce/vevokegaxikelevi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf03234e-d8d5-4242-9d6d-2b220b7cfd8d/oracle_sql_plus_commands.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/313045b7-62d1-4365-be1f-b4ebdc714596/30983828321.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/56c6d762-42d9-4415-ae0c-7ec23b6d0287/does_metformin_affect_sleep.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b530e8c-15ed-449f-b6d4-c96d6c279658/marshall_dsl40c_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6e149365-092c-4f26-8e89-5a7e6ee2722c/sex_offenders_in_california_prisons.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da2a86bd-e9b6-4c84-8a22-9c61ea7c7f3a/7522512670.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/663da856-89a3-451f-914c-5152c4b0a593/xagerakuxezazesu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/972cad39-2dd3-42bd-8208-c14404554d91/ketezorimisunekapodopit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2d22e734-3f4c-49ac-a3bf-8fa79cbc3607/buruso.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d573542f-fe85-4330-bc45-76f7b694231b/15966090735.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00034ed2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x34ED2 5520 bytes
SHA-256: ff9f31f8789b0fcbb754a54941c0c42309e51ef6ef500cd11ee1c0898e89c18f
font_01_sfnt_off00036196.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x36196 18404 bytes
SHA-256: 6d70b309bdeed87738f332079c50fda010e7eab0730197f0d2d3720ee3590b71
font_02_sfnt_off00039a47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x39A47 16204 bytes
SHA-256: 532315dfdc59b350d447ad91845dd8cc72a836e684f536ab9a4305dc5b53fb8e
font_03_sfnt_off0003af77.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3AF77 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c