Malicious PDF — malware analysis report

Static analysis result for SHA-256 60daa2a9a46f3707…

MALICIOUS

PDF

83.7 KB Created: 2021-06-07 03:18:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cd2a5c09467ee1f13b9a2c7d718450bd SHA-1: bd773e7d575963e1c46b1b0a5f1864e43f69bf98 SHA-256: 60daa2a9a46f37074d25a1c8b88a546e642c432a03a26e3299feee80f4c7a8d1
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. The document body, though heavily obfuscated, contains text related to 'vintage wooden world map wall art' and references wkhtmltopdf, suggesting it's a lure. The primary IOC is a URL that appears to be part of this phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wb?keyword=vintage%20wooden%20world%20map%20wall%20art
    • https://static.s123-cdn-static.com/uploads/4444884/normal_5fcce55349406.pdf
    • https://cdn-cms.f-static.net/uploads/4488322/normal_602452ceb0223.pdf
    • https://cdn-cms.f-static.net/uploads/4405950/normal_5fe6962f596c1.pdf
    • https://static.s123-cdn-static.com/uploads/4370087/normal_5ff4d63a2688a.pdf
    • https://static.s123-cdn-static.com/uploads/4455902/normal_6008cd98d3508.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bilabegape.pbworks.com/f/sixipop.pdf
    • https://uploads.strikinglycdn.com/files/2060b309-7ac0-4801-b56c-7e5ab0b5d0bc/davis_vantage_vue_battery_change.pdf
    • https://uploads.strikinglycdn.com/files/e71cfe4e-5ce5-4bf3-8e86-09c9c23d72dd/rokalelalogepuj.pdf
    • http://zizovitunex.pbworks.com/f/catalytic_reforming_of_naphtha.pdf
    • https://uploads.strikinglycdn.com/files/037d6063-0ce6-4076-9f27-7047de2d9fa2/how_long_to_cook_waffles_in_a_mini_waffle_maker.pdf
    • https://uploads.strikinglycdn.com/files/8e096bc9-162f-4176-9d67-7807ba946666/primo_bottom_loading_hot_cold_water_dispenser_manual.pdf
    • http://fatakalewene.pbworks.com/w/file/fetch/144686151/padikathavan_dhanush_mp3_song_download_masstamilan.pdf
    • http://runaliguredu.pbworks.com/w/file/fetch/144475959/sukixatavekemujinuv.pdf
    • http://pobonagul.pbworks.com/w/file/fetch/144630681/estructura_del_huevo.pdf
    • https://uploads.strikinglycdn.com/files/da3ab9f2-db69-403a-b59d-1b4b442b999a/62467012561.pdf
    • https://uploads.strikinglycdn.com/files/d4c00b25-a885-4a7d-8e9f-6654973b0320/96126781859.pdf
    • http://kemususi.pbworks.com/f/bafasali.pdf
    • https://uploads.strikinglycdn.com/files/8a7926c5-f303-467e-8341-a1e23d46de20/26043674723.pdf
    • https://uploads.strikinglycdn.com/files/9d9e4280-b3e4-4132-b28d-817266241e1f/lenilegitaz.pdf
    • https://uploads.strikinglycdn.com/files/6218f732-dc72-4bfb-9473-f06f01e59e13/32780844807.pdf
    • https://uploads.strikinglycdn.com/files/f26da9df-5cc7-46f1-821a-35124d1a93a4/sixadijidikexogale.pdf
    • https://uploads.strikinglycdn.com/files/f692dc98-a348-405c-a0d2-8c354ffb9fde/menodomavuroregave.pdf
    • http://foziwedugumu.pbworks.com/w/file/fetch/144465075/rafolesesizebifirokok.pdf
    • http://risodige.pbworks.com/f/sample_letter_requesting_financial_assistance_from_government_tagalog.pdf
    • https://uploads.strikinglycdn.com/files/95959fc1-30ea-47a8-b21a-ff7cb773860a/fitubopinukiponuvovedo.pdf
    • http://zufumegi.pbworks.com/f/73324544059.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1b8.bin
7f410d068c9d45114e19c94713d916c3f689e5b2b67467dab4636741a4bfa578		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1B8 5160 bytes
font_01_sfnt_off00010344.bin
fee41c8bac3cbbd614c590b10da2ff53a130040cd978aa2f2987a25901c0b81e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10344 11604 bytes
font_02_sfnt_off00012b11.bin
6f30d31ab53d325f4e3f08a53e883132ea92c501d32d7b77fa495aa04f83fc5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B11 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.