Malicious PDF — malware analysis report

Static analysis result for SHA-256 57a8df717b794d35…

MALICIOUS

PDF

77.9 KB Created: 2021-06-10 02:00:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 60b3c59862da4bdfa99066fdc5b2b0d5 SHA-1: 66c817afce1c78ff752c5c9a9cab1e835ba9dad3 SHA-256: 57a8df717b794d35a425a1cc6ebb53a5e7c2377b41084631eb02554c3af49ee7
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an external URI pointing to a URL that appears to be a lure for downloading malware, referencing "Bitlocker windows 7 home". The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document likely instructs the user to decrypt a password-protected archive, a common tactic to bypass security scanners. ClamAV detection further confirms its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/123?utm_term=bitlocker++windows+7+home PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4405950/normal_6043886ce9f47.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411702/normal_6034f16d0893d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385436/normal_604d31b8383a9.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4418566/normal_6004af482478d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4422643/normal_6003e5ca19cb8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4447089/normal_60140eac2f75b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4385413/normal_6010ccc673aec.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379837/normal_605fad58d163b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451565/normal_605c168017f48.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b41e8bd8-06aa-416c-9b97-d4e5237eca89/gotes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2e33752f-44c1-4abf-9c49-4a58496c57a1/taking_sides_clashing_views_on_educational_issues_ebook.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e4a2c427-1021-47d1-b0ba-d2cb2da6c211/tovusonimuxasob.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/80c0a516-0480-4329-ac8f-380a5fd2235c/2546150837.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c0119dc-e046-4919-876e-e823f030ef86/why_does_my_mobility_scooter_keep_cutting_out.pdfIn PDF document text
    • http://zobalazaga.pbworks.com/f/zenonia_3_offline.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa438eaf-d9e2-4e3d-b324-974caa6bf783/cual_es_la_importancia_de_un_presupuesto_de_capital.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c496d5d6-cc9a-4ea2-bf22-cba9f26503e5/brandy_melville_gift_card_in_store.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/93777901-ebc1-449e-a629-3cfa082e59c5/reddit_how_hard_is_ap_language_and_composition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94d59675-9291-48c4-abba-0ba4b0dfd497/lawanaxexofimamejupadazak.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bbc5c84d-cdd0-48a5-943a-9514eb1b9df6/free_month_to_month_room_rental_agreement_california.pdfIn PDF document text
    • http://tazijebep.pbworks.com/w/file/fetch/144566586/wodoxewipapiriwusare.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f252.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF252 5256 bytes
SHA-256: 93f1bb6c32427352414f58a5ab781808072d11837efd242bf9cb38fe2ab0b8dc
font_01_sfnt_off00010426.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10426 11676 bytes
SHA-256: ca8880b99860ffdca4b51eaf410c7e73a037367ab7fd44543a35b5bbbebcbbf3