Malicious PDF — malware analysis report

Static analysis result for SHA-256 562c67f0cfb37cd7…

MALICIOUS

PDF

80.5 KB Created: 2021-06-05 14:00:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0d2889803f93f45c6b05ad32bf307b61 SHA-1: 1fa4cde42dd309bb9d39beb5e2688702525b1671 SHA-256: 562c67f0cfb37cd79d3cc8d8279ed153297319e4d46657ada0e350bbbeb04fdb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely as part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, which can be used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/wb?keyword=2004%20cts%20v%20top%20speed
    • https://cdn-cms.f-static.net/uploads/4374002/normal_601f0cc75ccfe.pdf
    • https://cdn-cms.f-static.net/uploads/4484814/normal_5fd8d3b6f0026.pdf
    • https://cdn-cms.f-static.net/uploads/4411714/normal_604363938743e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/4391972c-9328-4ed5-a3ff-849043224b12/3d_crystal_puzzle_t_rex_instructions.pdf
    • http://volikedejefa.pbworks.com/w/file/fetch/144615429/josuj.pdf
    • https://uploads.strikinglycdn.com/files/5e0325dd-18dc-4869-b2eb-77daa761623f/36179361311.pdf
    • http://mevuteled.pbworks.com/f/what_is_enthalpy_change_of_neutralization.pdf
    • http://kolelulu.pbworks.com/f/sight_words_list_for_grade_2.pdf
    • https://uploads.strikinglycdn.com/files/088dd9b8-1693-4752-8244-960942382e85/83659607992.pdf
    • https://uploads.strikinglycdn.com/files/ca3b3702-d949-4721-a978-4c29cf23b75f/what_does_it_mean_when_my_lg_dryer_says_check_filter.pdf
    • http://pugaxigodaka.pbworks.com/w/file/fetch/144616914/download_sakura_school_simulator_mod_apk_versi_lama.pdf
    • https://uploads.strikinglycdn.com/files/b932ed14-7b43-44cf-a5c5-d0aa62aa9e29/langston_hughes_death_and_legacy.pdf
    • https://uploads.strikinglycdn.com/files/82470cbd-f738-4155-b3f0-fb28caee30f6/lafometi.pdf
    • https://uploads.strikinglycdn.com/files/8b0bb21b-3ab4-42be-8590-c2084b8ee35b/nimepevugewumoposerofuge.pdf
    • http://vimadutukad.pbworks.com/f/maxevijurena.pdf
    • https://uploads.strikinglycdn.com/files/85a9c87b-de6c-441a-81ba-745d866fe18a/73293349507.pdf
    • https://uploads.strikinglycdn.com/files/2b75a2b8-d4d9-4f7c-8e8c-efdb4a6727e9/gebad.pdf
    • https://uploads.strikinglycdn.com/files/89b51458-e0a0-4f23-bd65-5dd4afe3bc78/cloudy_with_achance_of_meatballs_2_cast.pdf
    • http://ruwomodanom.pbworks.com/f/full_wave_controlled_rectifier_using_scr.pdf
    • https://uploads.strikinglycdn.com/files/4df19926-756e-4a9f-b468-924afaeef37c/56664900792.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2e4.bin
716d2e71fa90a1005713ab4a62ad762e829ad2bd312f58a76b53f12a89bc5415		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2E4 4688 bytes
font_01_sfnt_off000102e3.bin
a325b05803f833598a103e6f868b9608368eb2f845176b46fec298665ece95e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102E3 10668 bytes
font_02_sfnt_off00012718.bin
781b9fae2fb9201b4a05d2041fea553bb2973f1d011ab9c51e3326c72e342c60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12718 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.