Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e6d5126646d1668…

MALICIOUS

PDF

74.2 KB Created: 2021-06-07 04:43:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62703fabb36efb3c436d3ffcf807bc94 SHA-1: d56e9285b0ac317ace97cfb02e5037a0d10b394a SHA-256: 4e6d5126646d16686b990a9049a69c0f9eac6631c7086ce682eb0ba6a2dbbd67
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, contains text related to movie downloads, which is a common lure. An external URI pointing to a movie download page was also extracted, reinforcing the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/pbw?utm_term=fast+and+furious+8+full+movie+sub+indonesia+download
    • https://static.s123-cdn-static-d.com/uploads/4426418/normal_60b14af81ec5a.pdf
    • https://static.s123-cdn-static-d.com/uploads/4479470/normal_60b2b608239fa.pdf
    • https://cdn-cms.f-static.net/uploads/4422637/normal_6011ebbe67ff5.pdf
    • https://static.s123-cdn-static.com/uploads/4377936/normal_5fdf2675a424f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://werinenimuta.pbworks.com/f/machine_learning_vtu_notes.pdf
    • https://uploads.strikinglycdn.com/files/e4b43fa4-4c3f-4e7a-a674-76d81b05edc4/porque_un_dia_es_como_mil_aos.pdf
    • https://uploads.strikinglycdn.com/files/f37ad301-36a8-4d04-a6d2-5cdac691cff8/excel_spreadsheet_download_sample.pdf
    • https://uploads.strikinglycdn.com/files/524c7173-8243-4565-8ea5-d60c2c88843b/kiki_do_you_love_me_instrumental_ringtone_mp3_download.pdf
    • http://tiduxikuve.pbworks.com/w/file/fetch/144421671/shadow_fight_2_special_edition_hack_mod_apk_android_1.pdf
    • https://uploads.strikinglycdn.com/files/a0956776-55b4-463b-b395-bc4472b5459d/how_to_make_jabra_freeway_discoverable.pdf
    • https://uploads.strikinglycdn.com/files/3c65681c-9ad2-4cee-b1bf-92c42a3cc4b1/putigapof.pdf
    • http://deburajuza.pbworks.com/w/file/fetch/144752991/georges_marvellous_medicine_activities.pdf
    • http://jezopisi.pbworks.com/w/file/fetch/144667344/meselitirapirofedo.pdf
    • http://zixereves.pbworks.com/w/file/fetch/144660669/fumefelawititubi.pdf
    • http://ragasegena.pbworks.com/f/social_studies_textbook_for_shs.pdf
    • https://uploads.strikinglycdn.com/files/14328f2c-30ad-4951-b323-88abe3e3e121/lawonosuve.pdf
    • http://xegosigex.pbworks.com/w/file/fetch/144755907/wegimupukes.pdf
    • http://mapijakemifo.pbworks.com/w/file/fetch/144458409/xilinujunimoluv.pdf
    • https://uploads.strikinglycdn.com/files/a3861269-bc9a-4b27-9319-4c71c06c8500/60037842897.pdf
    • https://uploads.strikinglycdn.com/files/061dc7f8-71db-4a46-bfd7-be1396230cdc/divunirudawiwojaguduri.pdf
    • http://devopiporo.pbworks.com/f/98336031865.pdf
    • https://uploads.strikinglycdn.com/files/599e8a1f-dc0b-4184-9076-49ea8857a27e/real_estate_license_texas_classes_near_me.pdf
    • https://uploads.strikinglycdn.com/files/ea677edf-2b95-4498-8e64-41eefc0ee796/bigogaxofigiwelopewajurup.pdf
    • http://neruwuk.pbworks.com/f/multiplicar_y_dividir_por_10_100_y_1000_ejercicios.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e16f.bin
3b9c6404a1d4c3ef9024e373be33934e2195c1d982eb8386fba0c6bb06a69195		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE16F 5492 bytes
font_01_sfnt_off0000f419.bin
de3aee0c4dec74b4c75ae31e169457a46f33bec5f7e635739eb163f77cf5a5c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF419 10896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.