Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c7e71965e5d5b92…

MALICIOUS

PDF

136.4 KB Created: 2021-05-21 01:31:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 62d12fc10975a97056aeea8d6c110cce SHA-1: 5b79d3d5dee1c1ce72737c67bfd97410eb3507d9 SHA-256: 4c7e71965e5d5b921b1ee16aeb7acbecadae278488a437b685d81ee1ab5d4173
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9940

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/strik?utm_term=khilafat+o+malookiat+hindi+translation+pdf PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4488569/normal_5fe27dd89238e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416660/normal_604d2b411b2e4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369520/normal_600af58af29a3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485301/normal_5fd3a5a2bb42b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4491934/normal_605b4d0f4c0a7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413707/normal_5fdc48d9ddf80.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4459165/normal_5fcf60fe3c664.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4459941/normal_6023d959ed685.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4443326/normal_5fca4a4b9467b.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/a3d0da34-6c65-4144-b44d-85cc26cafe9f/rome_total_war_2_game_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6ea42bc9-d1f6-4945-9432-ac07523762f8/royal_caribbean_alcohol_package_discount.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c1a45aa4-019d-478c-8e2e-0fa0f075308f/mewejejagixirewin.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/606f809f-7484-4e55-b26d-a94b850560ce/cen_tech_infrared_thermometer_calibration_procedure.pdfIn PDF document text
    • https://s3.amazonaws.com/dosalapasenow/journey_to_the_center_of_the_earth_2_full_movie_in_hindi_720p_free_download.pdfIn PDF document text
    • https://s3.amazonaws.com/tujeviwakirawu/5368178264.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c1e45714-80fa-4017-928e-660137cfa000/xifaritu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eaeb8499-3ef7-4c1b-987d-d568ff6ef046/99547864265.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6f874a7-461f-44cc-96b5-522c98b5e85b/abdul_kalam_books_in_tamil_list.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab71a815-d766-4bf3-9764-85fd73f69759/how_to_program_a_ti_30x_iis.pdfIn PDF document text
    • https://s3.amazonaws.com/legobegutulo/borakakemuwinafemakewolob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/38fb4457-7d8d-4874-ae12-f207622b6457/bevobet.pdfIn PDF document text
    • https://s3.amazonaws.com/vekodupiwarobi/messenger_privacy_settings_android.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6854c635-40ea-494f-8d92-03689b6777e3/94295042584.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0e01e970-8f49-47af-9960-5dc9288900b7/219270592.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5b6e5b89-3880-4db2-8c4f-1ce4e4d1285d/99865444344.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a71a295a-086c-46c8-bd91-bdb0312186c2/kukesexov.pdfIn PDF document text
    • https://s3.amazonaws.com/ganubifirigevi/57441996860.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f8b239d0-bc57-4e22-af27-af0b832efa94/glencoe_algebra_1_chapter_6_standardized_test_practice_answers.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0001e24b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E24B 26160 bytes
SHA-256: 9ffc8551a76a4a21d1aa89b29135a713b82139fb1cf22f6715c18201167ca483
font_00_sfnt_off0001a65b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A65B 5316 bytes
SHA-256: 9eb561a4b4853aa4dcc189f414ac227feea1a34587874126c40580d582d5d851
font_01_sfnt_off0001b843.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B843 12456 bytes
SHA-256: fc20791a4358695592d9e5d85f590e6c658ff50c46a23b044444bc011f59d76c