Malicious PDF — malware analysis report

Static analysis result for SHA-256 59412beefae6406f…

MALICIOUS

PDF

92.6 KB Created: 2021-04-11 03:39:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 1f20d5fdbcc55720dd9c241db6a685e1 SHA-1: 80b0aca54c974903226d4419d561c32993a35ccb SHA-256: 59412beefae6406f26886f0f61368e38102ad4001c6042a33d60dd6d4182d197
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to host a phishing page or download further malware. The document body, though heavily obfuscated, suggests a lure related to traffic safety statistics, aligning with common phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=national+highway+traffic+safety+administration+accident+statistics PDF link annotation
    • https://cdn.sqhk.co/wizevomorofe/PidlNLM/double_dragon_arcade_game_free_download.pdfIn PDF document text
    • https://cdn.sqhk.co/motulobugaji/6jchhji/learn_c_programming_for_free.pdfIn PDF document text
    • https://cdn.sqhk.co/peretudiwi/Sysgfhe/66539767985.pdfIn PDF document text
    • https://cdn.sqhk.co/jibenapola/R5nTMNH/traffic_run_app_store.pdfIn PDF document text
    • https://cdn.sqhk.co/jofijoju/1hhjDji/nazuri.pdfIn PDF document text
    • https://cdn.sqhk.co/xonizarisu/jeNegj0/viwajuvofolu.pdfIn PDF document text
    • https://cdn.sqhk.co/sexifirume/gu8MNjf/antventor_point_and_click_puzzle_adventure_apk_obb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/f0cc1123-1185-4e3e-ae21-eaac801f641c/dirt_devil_vacuum_belt_style_4.pdfIn PDF document text
    • https://s3.amazonaws.com/sorapobuk/edward_albee_whos_afraid_of_virginia_woolf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e24a7490-bc4e-4efb-b739-ebe2c6294233/is_there_an_official_samsung_tv_remote_app.pdfIn PDF document text
    • https://s3.amazonaws.com/julaxel/apple_airport_express_2nd_generation_setup.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3e395d61-37ea-4fe5-a5af-c10195bc2323/duparikujimonel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33a6a8a0-557c-4969-8e55-b26cc5fee075/dotipexujisezozet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45136f65-fa55-4aea-be3b-366903737a30/70593483624.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/39589ae5-2d29-4bd3-9be4-2fe63ec4b82a/lavudilabilogakeku.pdfIn PDF document text
    • https://s3.amazonaws.com/ratixifo/microsoft_access_database_2013.pdfIn PDF document text
    • https://s3.amazonaws.com/xoxaneral/bezovofopavobadufoli.pdfIn PDF document text
    • https://s3.amazonaws.com/gekixadonuru/65903849290.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/21344c2f-eb2d-40cc-9a33-ca8f862509d9/ejemplo_de_resume_de_trabajo_en_espaol.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5e4096d7-89bd-4b20-b70f-68d95a5ae5cf/fipimobo.pdfIn PDF document text
    • https://s3.amazonaws.com/labitajaxatufib/89830988335.pdfIn PDF document text
    • https://s3.amazonaws.com/lupuvogotog/dwg_viewer_android_app.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d22b80aa-f9a1-47a0-8248-f3814c955290/23690025021.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9770cac3-4748-4d7c-98b0-02cc9646e11b/25367583886.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011d5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D5F 5388 bytes
SHA-256: 2d28dc553ee1ece215c5d049dda3b999f825b522c4ebaae9dae35006458621e7
font_01_sfnt_off00012f8f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12F8F 11304 bytes
SHA-256: 3eda770c1b9397fe22687ab0c0d5ec535b7a8df2f3178797c81118a8cf8493a7
font_02_sfnt_off000155c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x155C6 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c