Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f2a159f0fdb43c6…

MALICIOUS

PDF

76.9 KB Created: 2021-03-06 08:49:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-03
MD5: 86efdedff3d589274d27d9ba788bd9a7 SHA-1: d84a8d4948ee296a72ec8d8454900ceb3733940f SHA-256: 4f2a159f0fdb43c6411fc487c43654aadc148890edbc917b4fcb91e55156e30e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain. Heuristics indicate the presence of external URIs and a high ML score, corroborated by ClamAV detection as a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to a 'Twilight saga new moon plot summary'. The primary IOC is the external URL used to likely deliver a secondary payload or conduct phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=twilight+saga+new+moon+plot+summary PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4381997/normal_603114988ee02.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4424672/normal_60244a1f0e6a6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4456378/normal_60365b6f5849b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4483856/normal_60147df77052c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475382/normal_601252c8ea6de.pdfIn PDF document text
    • http://sunshop.pro/understanding_pathophysiology_6th_edition_freec5fca.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4475209/normal_5ff7ade7e7742.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377717/normal_5fdbbd06b6f29.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4377663/normal_5fe42bbd0b36b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4496001/normal_5fd0e1e2ccd14.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4488349/normal_5fecb14f9228a.pdfIn PDF document text
    • http://zerkalo-fugicar.website/16932704340k9bfv.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371020/normal_6021ae94c98b6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462035/normal_5fe78cfbc31e4.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d59bc02-ef48-495f-838f-f56869ff8eb5/pesit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a79a309-be9a-455a-b4d8-260fdd121110/liwad.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bc0a73a6-6700-408b-96d9-80801e33c8d2/how_to_set_adt_alarm_system_at_night.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a946fab-ea4f-4fc8-ae4d-9eb695850c41/41228310152.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f06cb2b4-ba21-48d1-a1ad-4c086f87e958/persepolis_pelicula_completa_en_espaol_youtube.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e2d18782-e604-45ae-b4ef-020f4c45f36f/rejudavaxeke.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c8f8500b-b8b4-4ff0-baaf-2f4a6b0aa476/ramaw.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef0e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF0E 5376 bytes
SHA-256: 629f2e7cd844af6ab3f2cc3a932afd9063844b5ca1e153685a7cf3ca74a4ecf9
font_01_sfnt_off00010145.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10145 11080 bytes
SHA-256: 4071cff3af55422c150866574d462223bed5b3e535efd3bbdd0e33f48edc7ed8

Open this report in the interactive analyzer, or submit your own file for analysis.