Malicious PDF — malware analysis report

Static analysis result for SHA-256 62310739e8afdbc0…

MALICIOUS

PDF

382.8 KB Created: 2021-03-29 02:23:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-20
MD5: 02ab240e0d676ba7f1e2e997beef2cb1 SHA-1: 53d117283d0b5761986b9fc7647cbbbf77a2b2c8 SHA-256: 62310739e8afdbc02d8f048815824c89a8b35e06e48216b128056c69032c601d
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by ML classifiers and ClamAV as malicious. It contains an embedded URI pointing to a URL that mimics a search result for a free PDF download, a common lure for phishing or malware distribution. The document body, though heavily obfuscated, contains text related to the search query, reinforcing the lure. No scripts were extracted, but the embedded URI suggests an attempt to redirect the user to a malicious resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9817

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/wix?keyword=first+aid+psychiatry+5th+edition+pdf+free+download PDF link annotation
    • http://trylait.club/vifipajuzizazijusutueq2v9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425256/normal_60156bb92f7aa.pdfIn PDF document text
    • http://nekretnine.site/5416321727344ir5.pdfIn PDF document text
    • http://get3creditscores.info/salvation_army_housing_application_form190n4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420240/normal_6051184229268.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4368976/normal_5ff7e97a9fd70.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4417128/normal_60583385ce6a8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4496170/normal_60293737d1127.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc74bc82-6bc4-411c-8bd9-c1f150fe69b1/2014_victory_cross_country_service_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/jidosatikim/how_to_train_your_dragon_in_hidden_world.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2d4c15a3-5a62-4eee-bbd1-535b236ca4d5/jomejasenokulotudanoveku.pdfIn PDF document text
    • https://s3.amazonaws.com/fosalizuzu/what_is_the_best_drawing_app_for_windows_10.pdfIn PDF document text
    • https://s3.amazonaws.com/novipaliwid/77722399084.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2bb4b071-8481-4753-84a7-4e2a0d59514e/gasumodixebimal.pdfIn PDF document text
    • https://s3.amazonaws.com/pazerogasarinu/naomi_junichiro_tanizaki_analysis.pdfIn PDF document text
    • https://s3.amazonaws.com/firudegix/39466231289.pdfIn PDF document text
    • https://s3.amazonaws.com/zusevamasor/mezinoreku.pdfIn PDF document text
    • https://s3.amazonaws.com/zalomi/backup_chat_whatsapp_from_iphone_to_android.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000596cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x596CC 5516 bytes
SHA-256: cd5f70f352ccbee77a1ae4a3d28359a7df93c9a91b3a84a3ec74698b58b4a93b
font_01_sfnt_off0005a9a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5A9A9 13024 bytes
SHA-256: ebacfe95116d2114613db53410e91e7622a0d6130fb40039cb052d5a042ffa48
font_02_sfnt_off0005d5bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5D5BF 16204 bytes
SHA-256: 541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501