Malicious PDF — malware analysis report

Static analysis result for SHA-256 51ac9c4a97934c88…

MALICIOUS

PDF

80.1 KB Created: 2021-03-23 01:53:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 5472429e10adc237d400940088fc58d6 SHA-1: 8f36bd8f6e7b2a9d338096add199406d4f1a38be SHA-256: 51ac9c4a97934c8896ac8dd8759104619c88850493fd8b7f38b5a49c23a4aa58
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=anthem+guided+reading+questions+answers PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4427529/normal_6021d3375aaf8.pdfIn PDF document text
    • https://mapokelamoda.weebly.com/uploads/1/3/1/8/131856574/1252154.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421764/normal_6056e22a286d3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4370285/normal_5fc5daf13655d.pdfIn PDF document text
    • https://wowererifawop.weebly.com/uploads/1/3/1/3/131384429/25d60c3.pdfIn PDF document text
    • https://suwanozafedo.weebly.com/uploads/1/3/4/5/134587456/9376de7.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/xiwevitox/polaroid_z2300_charging.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/687b9250-66db-47b1-86a6-ee2d10bdfec1/22458665314.pdfIn PDF document text
    • https://6a24fdd2-d4a5-4c4b-882b-0f3115751bcf.filesusr.com/ugd/04e6f9_e654cf2217ed40ff8d2f623e6b9b145a.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/3d66867d-a09b-41c9-9a84-39a4f93d5878/92656675300.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/90f9afb5-4ce2-4b50-9dfb-779164962448/53101041955.pdfIn PDF document text
    • https://f200304d-316b-45a9-b05c-680123ec6d1a.filesusr.com/ugd/aad1a2_caf556847eea42c287f22a10541a7fd7.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/706e2108-3b60-4a04-969a-8d9c87d2fd2a/81552979256.pdfIn PDF document text
    • https://s3.amazonaws.com/vuforewebub/43298681010.pdfIn PDF document text
    • https://fccd5518-64e1-462d-9dbe-8d8d8a19ca7a.filesusr.com/ugd/eb005d_460a74f48db8475095853d182a51c0ec.pdf?index=trueIn PDF document text
    • https://3d5b2cfc-74f5-4c02-8466-0d369b02955c.filesusr.com/ugd/69b86f_07334006edcf4be9a99d62df7684501c.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/jokotaziweluge/brandon_sanderson_oathbringer_epub.pdfIn PDF document text
    • https://s3.amazonaws.com/perurulexi/lofamizalabezuganatonore.pdfIn PDF document text
    • https://s3.amazonaws.com/zabevog/kokotokifetanobe.pdfIn PDF document text
    • https://s3.amazonaws.com/ritoma/benodozon.pdfIn PDF document text
    • https://s3.amazonaws.com/tuzakifezara/12670204731.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb6b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB6B 5412 bytes
SHA-256: 94f83b2ee2b3685c2eb705710083135064bd789ef73f740bb5b95dd2a1de2d51
font_01_sfnt_off00010db1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10DB1 10808 bytes
SHA-256: a6b0d9ca11256b43f1917e11b32d926db11ba38130986de2ae9c6257d9762964