Malicious PDF — malware analysis report

Static analysis result for SHA-256 6684509418409737…

MALICIOUS

PDF

71.4 KB Created: 2021-06-01 17:31:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0e3ef0c840bfcb6dac82d2e08c599fe3 SHA-1: 60911ec53c4ee9976021f621e9226990cefaa67e SHA-256: 6684509418409737a191b37ae989082f7b0c8ff1d3085a2856b0b922c21a868e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, with the ClamAV detection name indicating it is a phishing trojan. The embedded URL points to a page advertising a hack for 'Injustice 2 mobile', suggesting a social engineering lure. While no scripts were explicitly extracted, the PDF structure and the nature of the embedded URL indicate a phishing attempt to trick users into downloading further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/pbw?utm_term=injustice+2+mobile+hack+ios+2020
    • https://cdn-cms.f-static.net/uploads/4382973/normal_605a6ad039c38.pdf
    • https://static.s123-cdn-static.com/uploads/4449422/normal_6005fd583e31f.pdf
    • https://cdn-cms.f-static.net/uploads/4477910/normal_6065f9f6e58a7.pdf
    • https://cdn-cms.f-static.net/uploads/4476924/normal_60256c1074a75.pdf
    • https://cdn-cms.f-static.net/uploads/4374021/normal_601e7916254c6.pdf
    • https://static.s123-cdn-static.com/uploads/4446923/normal_5fff40e7eed09.pdf
    • https://static.s123-cdn-static.com/uploads/4464297/normal_5fe1a30f1412a.pdf
    • https://static.s123-cdn-static.com/uploads/4474456/normal_5fcc13496566b.pdf
    • https://cdn-cms.f-static.net/uploads/4487927/normal_60625816ebf69.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zelovoguvunu.pbworks.com/w/file/fetch/144427119/butuxepube.pdf
    • http://jopamedet.pbworks.com/w/file/fetch/144444063/unblocked_games_castle_wars.pdf
    • http://bemulopawed.pbworks.com/f/asc_timetables_2020_crack_plus_free_registration_code.pdf
    • http://jotoxipigi.pbworks.com/w/file/fetch/144448956/not_pass_probation_period.pdf
    • https://uploads.strikinglycdn.com/files/2b07da2c-c47f-4053-acba-707d0eb339cd/where_is_5th_3rd_bank.pdf
    • http://paderukut.pbworks.com/f/how_to_install_the_capitec_app.pdf
    • http://gogoporiwo.pbworks.com/f/comic_8_casino_king_part_2_full_movie_download.pdf
    • https://uploads.strikinglycdn.com/files/42d85a68-40d0-4332-adeb-da11468556d3/marshall_mg100hdfx_head.pdf
    • http://mikabipi.pbworks.com/w/file/fetch/144437379/spectrum_rc122_remote_codes.pdf
    • https://uploads.strikinglycdn.com/files/5ba52081-7be8-43a4-b401-1de3cc73392e/levezijosudufedu.pdf
    • https://uploads.strikinglycdn.com/files/cc3af802-c56a-4f5c-99a8-74f4c39b566f/kitchenaid_gas_range_oven_light_replacement.pdf
    • https://uploads.strikinglycdn.com/files/133d91c6-5f1b-4f88-b264-aca587e99ce5/vivasakoxuva.pdf
    • https://uploads.strikinglycdn.com/files/5a87f0a8-c343-4b10-ba71-698828ce357a/how_to_diagnose_refrigerator_not_cooling.pdf
    • https://uploads.strikinglycdn.com/files/e988a623-8704-470e-a6e1-c208953a7623/15445980783.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d73e.bin
93d58205d7cd058feffba91d9cd06671f1ea4e0d094b9f37b632609256accb1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD73E 5432 bytes
font_01_sfnt_off0000e994.bin
1e2603a3b11c578131e34e0b0456a41507fcc613074c7c711b2ba53df3e81f89		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE994 10772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.