Malicious PDF — malware analysis report

Static analysis result for SHA-256 635de6253f2b0ea2…

MALICIOUS

PDF

90.7 KB Created: 2021-06-10 16:16:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4d8ade6cf090742803ec2e4900a92a5e SHA-1: 71dd287b4f6c0bb7b2e03d2bdc9a544760a85a7f SHA-256: 635de6253f2b0ea20891be6b2d40957344c8f6edd6f93eb4253b3685eeb722f4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that leads to a suspicious domain, identified by heuristics as a potential phishing or malicious link. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though partially corrupted, suggests a pretext of 'discussion questions' to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=discussion+questions+for+the+night+watchman
    • https://static.s123-cdn-static.com/uploads/4393358/normal_5fc8194ed08f3.pdf
    • https://cdn-cms.f-static.net/uploads/4382187/normal_601bae42cdf07.pdf
    • https://cdn-cms.f-static.net/uploads/4446914/normal_6056c066044e1.pdf
    • https://static.s123-cdn-static.com/uploads/4417429/normal_600742dd53943.pdf
    • https://cdn-cms.f-static.net/uploads/4401714/normal_6064fab997a36.pdf
    • https://static.s123-cdn-static-d.com/uploads/4480397/normal_60b3207f56636.pdf
    • https://static.s123-cdn-static.com/uploads/4456685/normal_5fcf397851e0b.pdf
    • https://cdn-cms.f-static.net/uploads/4506170/normal_60421ea5618c8.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/0a2971b9-d5dd-43e3-8090-588cf1e413e0/when_did_you_start_high_school_if_you_graduated_in_2015.pdf
    • https://uploads.strikinglycdn.com/files/584ab93a-c7c5-4221-803b-c63f2f13cac9/child_of_god_cormac_mccarthy_read_online.pdf
    • http://negovijalulu.pbworks.com/w/file/fetch/144412404/kaletajoruduwaxotekego.pdf
    • https://uploads.strikinglycdn.com/files/df788667-c3a3-41ff-a68d-e50e4d01e217/98922498812.pdf
    • https://uploads.strikinglycdn.com/files/35d5a98e-776b-403d-8145-c3aae66a89ae/best_penny_stocks_to_buy_for_january_2021.pdf
    • http://nikekuva.pbworks.com/w/file/fetch/144414246/slayer_leecher_v0_5.pdf
    • http://fulusivijomu.pbworks.com/w/file/fetch/144477240/barbie_ylba_filmi_izle.pdf
    • https://uploads.strikinglycdn.com/files/ec0002e3-8c8e-478a-89a4-ce8129fd04ec/popawatarajumuxugita.pdf
    • http://giresizuloki.pbworks.com/w/file/fetch/144462297/wogefiman.pdf
    • http://tusoxefum.pbworks.com/f/banumabalexejas.pdf
    • https://uploads.strikinglycdn.com/files/40b1f80d-694f-4624-97da-033faf67e463/55590095299.pdf
    • https://uploads.strikinglycdn.com/files/ffe0c528-ef60-4f22-bab7-ab596b22456d/werapogapaxixamobubajokeb.pdf
    • https://uploads.strikinglycdn.com/files/0cb4d427-de34-45a2-971a-d6050b87e779/storm_kings_thunder_nightstone_map_pack.pdf
    • http://nunaruribeg.pbworks.com/w/file/fetch/144415362/45084523708.pdf
    • http://gamaxidad.pbworks.com/f/tovuxuvuber.pdf
    • https://uploads.strikinglycdn.com/files/e57b6b02-dd69-4813-a894-b04216e136f2/88205032199.pdf
    • https://uploads.strikinglycdn.com/files/917ee0b2-a785-4f59-b2bf-449d3d991b71/driver_hp_envy_4500_mac_10.5.8.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010be1.bin
fe264bd4952f224c4166a44959f3461af24fdb6c2c77fe293c50010034c069f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10BE1 5480 bytes
font_01_sfnt_off00011e7c.bin
52e416477e03bb7a6535de072e2ca8b44a6aa7a16211cd0d15681c5edf7b19d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E7C 11340 bytes
font_02_sfnt_off000144c1.bin
a458ea8686f2ebb47c247777747e08763876c97496fa38851c54c6ef35736056		 pdf-font-stream PDF embedded font (sfnt) at offset 0x144C1 16920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.