Malicious PDF — malware analysis report

Static analysis result for SHA-256 57511306a90664f5…

MALICIOUS

PDF

75.0 KB Created: 2021-03-17 22:10:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 92d29118a1be826e2ec21d1a21d5881a SHA-1: 2220ec61b555332cb11e0a5569abc0e2b7548473 SHA-256: 57511306a90664f53e2c1ac69663ebf162b48eaa457e7006cf6afa070e868cc4
286 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains an embedded JavaScript payload, detected by ClamAV as Pdf.Phishing.Trojan-d2568dad23a94d95. The embedded script likely attempts to download and execute a second-stage payload from one of the numerous external URLs found within the document. The presence of 'powershell.pdf' in the document text and the ML classifier's high confidence further support a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=2001+mitsubishi+eclipse+transmission+fluid+type PDF link annotation
    • https://cdn.sqhk.co/xupumekejaxa/iXhdtDY/marvel_realm_of_champions_beta_country.pdfIn PDF document text
    • http://tetoxukipim.getenjoyment.net/45232562011.pdfIn macro / runtime command snippet
    • http://wei-nmvc.com/mokirizenukozgers.pdfIn macro / runtime command snippet
    • http://skameyki.club/69211739959e8az9.pdfIn PDF document text
    • http://axecheat8.xyz/charge_dipole_interaction3lb55.pdfIn PDF document text
    • https://cdn.sqhk.co/wodelaganav/hebiigg/wear_os_spotify_apk.pdfIn PDF document text
    • http://rebezun.mygamesonline.org/mowenavepefo.pdfIn PDF document text
    • http://bovibuvebus.getenjoyment.net/kepopilurugel.pdfIn PDF document text
    • http://raifaisentgo.online/12045261848cy33i.pdfIn PDF document text
    • http://henrysavbr.site/118492988702wi6d.pdfIn PDF document text
    • http://kuliwegi.sportsontheweb.net/bovufexivo.pdfIn PDF document text
    • http://remastacer.com/the_cancer_journals_audre_lorde_sparknotesjvu3u.pdfIn PDF document text
    • https://cdn.sqhk.co/sovanoniwuva/dJjagcn/adolf_hitler_soundboard_download_free.pdfIn PDF document text
    • https://cdn.sqhk.co/xupumekejaxa/iXhdtDY/marvIn macro / runtime command snippet
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b1255231-446e-49cf-8c17-c588d3a6eab3/text_file_to_html_powershell.pdfIn PDF document text
    • https://s3.amazonaws.com/vazisi/ximusularoz.pdfIn PDF document text
    • https://s3.amazonaws.com/tomaxade/lavepafuv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3094ae0c-9aee-4231-8664-297daf458603/5_languages_of_apology_test.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30d4db12-f914-485a-8885-4334153246fc/44514767227.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cbfa9b9c-11c9-48bd-942d-fdd0537ed68b/what_colors_do_psychologically.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00008ef8.bin pdf-embedded-script PDF decompressed stream script payload at offset 0x8EF8 76817 bytes
SHA-256: 55b497ddabcc6f37e364ede48d93c46bad6eab6fcfe5c2aad8647e060020a701
Detection
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
%PDF-1.4
1 0 obj
<<
/Title (�� 2 0 0 1   m i t s u b i s h i   e c l i p s e   t r a n s m i s s i o n   f l u i d   t y p e)
/Creator (�� w k h t m l t o p d f   0 . 1 2 . 5)
/Producer (�� Q t   4 . 8 . 7)
/CreationDate (D:20210317221057+02'00')
>>
endobj
3 0 obj
<<
/Type /ExtGState
/SA true
/SM 0.02
/ca 1.0
/CA 1.0
/AIS false
/SMask /None>>
endobj
4 0 obj
[/Pattern /DeviceRGB]
endobj
6 0 obj
<<
/Type /XObject
/Subtype /Image
/Width 625
/Height 155
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Length 7 0 R
/Filter /DCTDecode
>>
stream
����  JFIF     K K  �� C                                    	 	  
   


      	  
      �� C                                                                 ��    � q  "       ��                            	
 �� �                }        !1A  Qa "q 2��� #B�� R��$3br�	
     %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz���������������������������������������������������������������������������                            	
 �� �                w       !1  AQ aq "2�  B����	#3R� br�
 $4�%�    &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������          ? ���ׄ ���ƫ���/ev� ��-�V   1�9�<֔� |? ����ʭĄc��n��"�9~ i�Ta�
�?|njv� � ӴlB�   �  @�� ��T��e'+�_�� ����  [�4���$�i $���}9��5���8��f$�&�W��5�0U�� �0 >�ZL&� P�{ q�� �3�I ����G6� |81!�C2�M)�鼜t�֑� �h� ���  k�r}������� y	?>ӐYr˸���E<B��R�l �߱�� �fJ��� _��6� �8�d���/�d�m�8� �z4� ���2��9����Pr =��{zu��C�H��A�;~��  ~ �I�P� ���H�w����N�9 �  ��&���9 u. -���J �� N�N_�� �U  =7c��J��R�W/���/ӓ�}i
���� 7� �  �s�� �-���o�9�~ xhr,  ��n$�n�
����� �йm<Ƙ �Jz���ӧ {�L.|��hh��� FGqۯ�R��Eʞ\d�����n��2�,�x���� �9��oÒ9c��A� J ���f�� ���I�b2A?j� q�� �&�Y�͗ 	1����z q���CJ�.쌯/۷�۞ؤ�m�S� �9��A��  g��EĿ. O��}i�� ��#�%�I?( �2;dn������
��d ��N�q� �=3ӽI��>�K 	 �� �LI���� L���'��S�(l� ���.2>n=	�No�^ g�O' ��|�b�)'����C�+0V. Q��z �XÖV ���'��q��� ^�-�J_ ���� � �lx-�y1���ӟ�����E�dy$�b��17 ���\�=��u��ŵI*� �<�3� �  �a�ۆ�.x� � �B�>g���� ���7� 
]������ ��^GN�� �$  �>�O�iVr9Y����  ��޺�%\q� ���� ��)'�b2O��  ��=�  : ����� 3�_�~ [�a�  ʔ�A�sٲ:ҟ�� uU�$!�� I���{�] H�r �l � ���� ҅r8�\m �㎽?N��Z�֗��9��S~ E ����.e� �w �!�?� ���� ��ɸ O�� q�WF�e ��l��>��'� w��hVc$�� ��Pr� 99�����NĹ���� �S�O�> ����ņ �Ҁݿ���~ �~ xn4 �� � 4�� �ݟ_�) �@ �  �8��z��t��9g݀ m� �� 8�֒C��J?ׯS�o�  dFm0�L�y�  z}�� ��8D�;�ҏ�  �wu i�-��㷧��� +�UT+� �8�ǵ*���v� �c�� /Úd�w���� �|"�����Sa yYF{cv?  �� 1 m0&���K�� �}k�*����]�l 	   �;{  "� 8
�   �� ,J��� ��z ��C��]Pi� _�3���[�� &���È����  �\�3Ԝ|���]8 K %���d{c�=���Jh>b�.2 _ (�1� �<R4���� � Zt9����` �� �	�<�黟��� ¨�����ʤ� �� z��`��k� �����\ � <�   7e� �'�2{�(� ����9��S� � :` 0�lҎ��.�? O�G�  r�N`�ci�_�� �������K(2 F:�z�ǧ�=j!� f&1� ��éϹ�)�C���r_�� uli�% � �FpF~� )O��
��6   |�q�?�� ��K VL� ��F8^�;��Ҝ`US�$��}:c>⋥�(��� 3��� �g�#i� �v�� =3���}��>
h � la�� |�m�G�翧Z錋�y���2Iϧ��V'+�, �` � {� >=� Z7v� ���9��C��GO�� ���& @��}?/�0� ��fۧ� rO�)    ��?�k�vY�_� p�2�z�_�ғ�Yv�� gGP �r O�"��r��W�����vO�^ �1:z�&B��I���o��Q��?
� gN_� ��R OO�u��_�P\�N� v8?��E�úE�_�' {q���&ީ� _��ߝ  �>�*������i�'�0w}q�q �)�7+i?{� <�9 >�q����2� ,� < �?����h��Čq�] lv��t�� �$���{ ��)� F>]=� �'�#���ޙ�8| ��lq���I?��=� 7 k�X���P8f�`0�r Ǧz��� �   �  ;�R ��篽; ��k�~��s��φ̍�<�p3��Ao���4����j�_LL���6BH�P ���ں �
 ` 1�͜��F;���9�|b���� �� v1���{Qn�R�|������m� �o`'N%@$�>N}�jA��ÒD�t� �,��� �Ƿ�ֺf;�.}1Ў�� �G~���� ����I"�-t�� _��5 �� �]�q� 	�� ���ҧ�O  ���d 
�H?M��� ��O �1�(�@�������  ,�e �m%v�9�88� ���+5 ��� V9 �T~ �Dmf��
��1��8;���8�*S���w� g�-�Ը� �  ~: �EtE�B@c�H<
������ �+�� wr=� ����FR^�ש�� £������C  �K��##w��~ xv F6
� �"�Q�� 7=� /�t C�UC P0X.�� x���G� ��"1vXԖ;�����G<��ir��RWM���/�S���/��E�L$3  �L �� �� ��Iỉ ���U��n% � ̓�~��#���'�T#�;�?� �C m��^� �����  M� �J�_���\��3���F�����|�p{��֛7�  ]�:n r���K ` � �R���q� c�����yg C T}�:�<㎇ =)�M?G� ��ם_�>  &���3ʹ'����� \|&��)S�!X�v�� q�����?�t� <�J�ݸ`G?_�v�,� �36FQ   A��� aBW 9$�v����  �Χ�� o �x���	�l�������  �T*�0�x��%#  ��߷?�J����X����=�S�2�	��  ��֓ �� ���t9u�?���q��2�� =N7� �� �:b 4��`1i�*Tu ��������l� cufCؒ ~�� 9��� h T�� ܜ�z �� ��&���� W��r�� �1 !� ����  Td���֕~
xj �4�Ɍ��  =:�׿�]3*�[ �� A� �� Z� B�~���)POr � 	o� Z� Ü��A��@�@ Љ��>�{�星 <4ŌZlM�I���#�
... (truncated)
font_00_sfnt_off0000e741.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE741 5868 bytes
SHA-256: ca7c2b7a29eb83a6f0f8afac9b1b05e79b96d9ca466aef094f296a494dedc6de
font_01_sfnt_off0000fb15.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFB15 10412 bytes
SHA-256: 1ef30247f9b023df516317296808155ea82e0af008fb25884c9d3b071be4c325

Open this report in the interactive analyzer, or submit your own file for analysis.