Malicious PDF — malware analysis report

Static analysis result for SHA-256 5273b9c8cc7174bf…

MALICIOUS

PDF

98.0 KB Created: 2021-04-03 07:46:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 17dc5dfc1af55537a18574fee50b10d1 SHA-1: 9db1fc6fad2215e20c9bfcd56bdfd3b1446db96a SHA-256: 5273b9c8cc7174bfe81b622f41f6c9a0107b05e455e92865a150edc905415417
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=talk+to+me+in+korean+level+2+book+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4375702/normal_602fb98e048d2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380543/normal_60477576f1754.pdfIn PDF document text
    • http://pimebujeben.66ghz.com/bloons_td_6_12._0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465133/normal_5fe79b84329ac.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4455374/normal_600324d34dc19.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451927/normal_5fe78b8b1548c.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/213c923b-509f-40bd-a9d1-58516011b52a/bamogisog.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f9cee3c1-153b-4126-b25c-e4cbb626096c/macbeth_act_3_scene_2_stylistic_devices.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ce04b64-99d4-45dd-a4b6-11db8930d22a/how_to_write_a_essay_outline_examples.pdfIn PDF document text
    • http://doborokozudu.epizy.com/workplace_health_and_safety_regulations.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d89ec518-612f-4b82-a8dc-9e5741e78dee/90470996210.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/13106063-d43d-4616-beee-0a943e03751e/xfi_gateway_instructions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0f728e9c-6922-4e77-91c3-924313257edd/21522287138.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/44b69adf-edf5-4b27-ad58-bc087983e99e/gukojiwaviwofapebedeko.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1d07460a-1923-408e-b549-d1a124bfa6f6/red_wine_for_beginners_philippines.pdfIn PDF document text
    • http://napilidowolaro.rf.gd/is_chick_fil_a_mac_and_cheese_good.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c1e0c208-8df0-48e2-ac6c-10bbdad63bf4/bujavofof.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81fb4a68-37a0-45de-81b4-eb0bd9a2b4c9/2546829259.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec6e8ae3-dcad-4c76-a330-74cca29c7f10/how_to_become_a_certified_medical_interpreter_in_washington_state.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2e5f1f3d-5c90-4f36-86f0-4155931bba1e/json_simple_tutorial_java.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/184ac466-ed90-453a-b7e3-ab5a1c2210c6/memitavipo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7192e506-d9fb-4a35-92f9-e9aac7f93c28/problemas_de_trigonometria_resueltos_4o_eso.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bda41533-26bd-4597-b3b5-827aa40e1143/p21_in_colon_cancer_cells.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/03a516a6-8087-4ac2-aeb2-b90d9f185dcf/how_to_train_yourself_to_become_a_spy.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011104.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11104 14532 bytes
SHA-256: 9d4ce1406d33cc86af22aff1bf105f31a207111767ec19ef79282ac2ec31a8e1
font_01_sfnt_off00013cb9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13CB9 5352 bytes
SHA-256: 75cdc1f03d35e48d94dbd406831f453596a3f14cb04084dd2ba6bd249bdb53cc
font_02_sfnt_off00014ede.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14EDE 12180 bytes
SHA-256: 4e7db8eb8ef728dd220524b25c9a9886eba57fcdd57890c318cfa333a2538274