Malicious PDF — malware analysis report

Static analysis result for SHA-256 5173e243593e37dc…

MALICIOUS

PDF

83.5 KB Created: 2021-04-02 11:04:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 545ecd3ed4bd07273c9086a3b65d8a2f SHA-1: 8f4e16cf70f0cdbc65d99b0ba4ec0db36b074e41 SHA-256: 5173e243593e37dcea45e9602ddec52c65719b590b991aa252c599f9212bf3c9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/wix?keyword=blackweb+bluetooth+party+speaker PDF link annotation
    • http://moneymaya.site/pixel_world_3d_pc_emulatorqm8k9.pdfIn PDF document text
    • http://esclub.pro/664350009479w424.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4473047/normal_604870b3e9f16.pdfIn PDF document text
    • https://cdn.sqhk.co/fodexuxefeba/bzghhcc/bubble_shooter_legend_hack_mod_apk_download.pdfIn PDF document text
    • http://nigasheff.xyz/manual_de_cabala_practicad3eho.pdfIn PDF document text
    • http://getfreecreditreport.info/brother_pe770_service_manualrmaps.pdfIn PDF document text
    • https://cdn.sqhk.co/vatomepipiw/bih5idV/83715680917.pdfIn PDF document text
    • http://mediaverifiedbadge.com/45983560441z407l.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462035/normal_605b41db62a06.pdfIn PDF document text
    • http://nigasheff.xyz/19290098606wr3rd.pdfIn PDF document text
    • https://cdn.sqhk.co/pinofizulag/jjtij8E/dope_live_wallpaper_hd_android_tablet_free_download.pdfIn PDF document text
    • http://prostosite.site/televisor_element_19_elefw195vp026.pdfIn PDF document text
    • http://prizinsta365.online/imdb_vikings_cast_season_5t9v3o.pdfIn PDF document text
    • http://myyshooop227.site/26690288062dunzg.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/sigobija/64036556845.pdfIn PDF document text
    • https://s3.amazonaws.com/bupesejirijejus/psychology_101_topics.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/328db90a-c0ab-4520-a447-7470ef5d3e74/basic_math_formulas_cheat_sheet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ed3a336-d679-4dfc-a749-53ea84e5c70f/86092857064.pdfIn PDF document text
    • https://s3.amazonaws.com/jinotugiwomo/volkswagen_body_repair_shop_near_me.pdfIn PDF document text
    • https://s3.amazonaws.com/kavalukato/vizimomawesuzora.pdfIn PDF document text
    • https://s3.amazonaws.com/buwosevax/lusaxepovi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4443eaaa-eb67-43aa-894e-6fc2fb302d8d/instalar_dd_wrt_linksys_wrt54g_v8.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001055e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1055E 5468 bytes
SHA-256: fd99428000f7b76989a31a24f443c3ffd0ab937c8b0eefe960d5d72a1617e38d
font_01_sfnt_off0001180c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1180C 12336 bytes
SHA-256: a2f780e19291c6aa71c6f3e04fa6d321d00cc993de61c7285166083d2e44597f