Malicious PDF — malware analysis report

Static analysis result for SHA-256 61526bcf49c221e6…

MALICIOUS

PDF

85.9 KB Created: 2021-03-18 23:50:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9c8c121e1747705d3d7db4eb922112ac SHA-1: 20775ad1d04be7a0d06ee7eadfa843ddd81edfca SHA-256: 61526bcf49c221e6f7c410ab0a3af995526c27f0d74d46660a70bb20d45ffca6
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious. It contains an embedded URI pointing to a URL that appears to be a lure for downloading an application, indicated by the 'zombie gunship mod apk' keyword in the URL. While no scripts were directly extracted, the PDF structure and embedded URI suggest an attempt to trick the user into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=zombie+gunship+mod+apk+1.14.4
    • http://igcopyrightclient.com/retivizukenewikufidruhfc.pdf
    • http://4gusevshop.space/dornier_medtech_annual_reportnl5a3.pdf
    • https://cdn.sqhk.co/jimavidozeze/MHjhieG/jetevumoxomamaropolar.pdf
    • https://cdn-cms.f-static.net/uploads/4495043/normal_5fd77d545e819.pdf
    • http://eurofamily.pro/vw_polo_owners_manual_2017c943r.pdf
    • http://confirmationhelpcenter.com/how_much_does_a_retractable_awning_cost_ukrpcb5.pdf
    • http://kalavar.xyz/wilevigifotofudixil3uao8.pdf
    • https://cdn-cms.f-static.net/uploads/4366374/normal_6015463e9f6b3.pdf
    • https://static.s123-cdn-static.com/uploads/4382408/normal_5fe2788b4a9de.pdf
    • https://static.s123-cdn-static.com/uploads/4453342/normal_5fe4248296d20.pdf
    • https://cdn.sqhk.co/wabitakenina/iVhdfge/nekuvuzewufijijijemojaz.pdf
    • http://nosatines.mypressonline.com/angina_de_pecho_estable_tratamiento.pdf
    • https://cdn-cms.f-static.net/uploads/4475989/normal_602189654ef4d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bifovigavij.myartsonline.com/bsn_sports_logo.pdf
    • https://9e2b3e3a-6a02-4d3b-8ba9-5acc01041672.filesusr.com/ugd/66c878_881cb36443484d5abc7d950b4940778d.pdf?index=true
    • http://naxefugoxodikow.atwebpages.com/wikutedadubuwaruvifiga.pdf
    • http://zopopujeji.rf.gd/samsung_dvd_region_code_unlock.pdf
    • http://fizijumopib.rf.gd/what_do_the_figurines_symbolize_in_purple_hibiscus.pdf
    • http://doriponesarom.myartsonline.com/7038175217.pdf
    • https://18cceff7-6d50-42ec-9d85-67184b61345e.filesusr.com/ugd/8c2e83_952ad96cd83949eebafd3da1a2430199.pdf?index=true
    • http://xugonowelimije.epizy.com/saroteduvamog.pdf
    • http://xumeweb.rf.gd/wallpaper_all_hd.pdf
    • http://vuxomukixade.epizy.com/jevajajarumuzow.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef42.bin
b90b109c34db9b2d961be312c0c64f13ba4f5af9c83d6ae4556a72cb7f468167		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF42 2880 bytes
font_01_sfnt_off0000f980.bin
680dd13af588cff636852355c1a7682fb444a278d47650bc41fd5d21a3cfc74a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF980 5580 bytes
font_02_sfnt_off00010c69.bin
98c358f91e5b6df2634cb5e8f2aa1d521cf645e6308ebf3636e09c54620bdea7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10C69 11604 bytes
font_03_sfnt_off00013450.bin
4f6d6443d667672870c38ce4e1d364e29e61a0df6fd2d8217a47270b9fff04c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13450 16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.