Malicious PDF — malware analysis report

Static analysis result for SHA-256 61168a2c97955813…

MALICIOUS

PDF

77.8 KB Created: 2021-03-18 13:55:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2d865d83f145f6e42bed695eb58ea7f4 SHA-1: 7cc13cd7f9bbfa3f16ae715724e74b61c29c852e SHA-256: 61168a2c979558136272cde1037fcc7af203cf74b7bd5045a470fd29b601e4da
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. The embedded URL and the document body, which mentions 'Mortal kombat x strategy guide book', suggest a lure to trick users into downloading further malicious content. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs indicate a potential for exploiting vulnerabilities or redirecting users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=mortal+kombat+x+strategy+guide+book
    • https://cdn-cms.f-static.net/uploads/4450630/normal_5fd258fba347a.pdf
    • https://birifebirox.weebly.com/uploads/1/3/3/9/133999865/481e59448a53751.pdf
    • http://rajenajodaf.iblogger.org/88370918410.pdf
    • https://bigififipajug.weebly.com/uploads/1/3/4/7/134709095/fekuduk.pdf
    • http://summ-green.fun/84_charing_cross_road_film_streaming_vfef3s9.pdf
    • https://static.s123-cdn-static.com/uploads/4386091/normal_5fed0d1ee3b7b.pdf
    • http://natorg.fun/what_kind_of_stickers_can_you_use_in_resin1jjau.pdf
    • http://dejamorije.scienceontheweb.net/how_to_be_a_good_project_manager.pdf
    • https://static.s123-cdn-static.com/uploads/4417990/normal_6001934201e5d.pdf
    • https://mapulanedubo.weebly.com/uploads/1/3/0/9/130969056/5496156.pdf
    • https://cdn-cms.f-static.net/uploads/4446492/normal_602d25b0a0e5c.pdf
    • http://mitedujonajezed.scienceontheweb.net/penuwomigipezumonuv.pdf
    • http://tohld.in/die_unendliche_geschichte_film_streamszf2m.pdf
    • http://jarewitof.mypressonline.com/12291995060.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/59ca1fd0-ec2f-4323-8fbb-ffe15ee636d4/fupida.pdf
    • http://veguxakafopuvix.epizy.com/hedonic_scale_sheet.pdf
    • http://xutenujute.myartsonline.com/61273404070.pdf
    • https://uploads.strikinglycdn.com/files/03d57ec1-f9bd-4bc7-9e6f-1a254d196f37/xorimugebifiro.pdf
    • http://viwuwijagabote.myartsonline.com/section_8.5_electronegativity_and_polarity_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/c13ea663-0015-4504-9f17-a9056f16b6bf/what_is_the_best_online_bachelors_degree_program.pdf
    • https://uploads.strikinglycdn.com/files/8f65ecde-bbea-4988-8f4a-feb5c9eccf29/jelajexevab.pdf
    • https://uploads.strikinglycdn.com/files/761628c0-3cbc-4141-89a3-169014acb21d/26764057953.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f26a.bin
bbdd67a54862f5755d714e36f39a688855299c0aeef8e574dc8387b063d64778		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF26A 5524 bytes
font_01_sfnt_off0001052e.bin
0a5740ecf5c380173c9246a56eb28ea6b988a74ef358e7f26f2506795d6a98e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1052E 10804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.