Malicious PDF — malware analysis report

Static analysis result for SHA-256 58c675554179d4b4…

MALICIOUS

PDF

77.4 KB Created: 2021-05-08 16:24:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 9ca96db41f6aa58d04aca9b0bc08f881 SHA-1: 0848b82ef7051bfa51815848233326052f8871ca SHA-256: 58c675554179d4b4ad285a4d6ef20932a0f271d4188de0e51e6962d698a85053
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=romeo+and+juliet+1996+cast+ages PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4487663/normal_6053b99f8d230.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470218/normal_606294f6724e5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470841/normal_606919564a2f0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371003/normal_60415c205118a.pdfIn PDF document text
    • http://sanatoriy-izumrudny.ru/history_alive_online_loginp9kzy.pdfIn PDF document text
    • http://esmoney.site/how_to_do_wing_chun2ezf1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446511/normal_605b0e2b0eca2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468296/normal_6055dffa60de0.pdfIn PDF document text
    • http://edevletorg.com/1978_john_deere_316_service_manualidzwe.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374369/normal_603b6d1658f31.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/5a446ace-84b8-48b4-b47d-00bb20e76935/the_missing_link_theory_of_evolution.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4d903789-263d-4a1e-b233-83be0a2f4d64/93261795413.pdfIn PDF document text
    • https://s3.amazonaws.com/tarizirefevifab/steven_pinker_enlightenment_now_criticism.pdfIn PDF document text
    • https://s3.amazonaws.com/dewutexorob/xobaxuxajidezewikupawine.pdfIn PDF document text
    • https://s3.amazonaws.com/gazivemon/animated_video_maker_apk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c71e99e6-6bca-4fba-91bd-e1bdff85c8cb/73477485214.pdfIn PDF document text
    • https://s3.amazonaws.com/lerezazo/how_to_work_out_the_volume_of_a_cuboid_net.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/32744d15-ce82-403e-aaa4-b70ac253be66/claudia_quotes_interview_with_the_vampire_book.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20d87326-c729-48f9-bfcd-af8b69b49bba/83630757319.pdfIn PDF document text
    • https://s3.amazonaws.com/nalifij/best_carpet_sweeper_consumer_reports.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc25f19f-9012-4bf6-a52d-3d5dbcba75a3/the_nutcracker_and_the_mouse_king_quotes.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edbe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDBE 5608 bytes
SHA-256: 6ae56fb0de30fd728d3c3e39c2c9ed2f11427cf156b9c862ef224b95125e04c3
font_01_sfnt_off000100cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100CD 11440 bytes
SHA-256: a910fa0a9fb6fec1952627935582a489eca9628893a2be2a1391776d698ef8d7