Malicious PDF — malware analysis report

Static analysis result for SHA-256 67f1aef59b0fd6c1…

MALICIOUS

PDF

210.6 KB Created: 2021-01-19 04:54:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-29
MD5: 9e3533f0a5deb7cd861c6675ce5a74a7 SHA-1: 4e2d05a2dea1084ec2dd7e9c33cf23afebea9ac0 SHA-256: 67f1aef59b0fd6c1dd07a2328422ac13234bf962de780f11284501459806d324
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing or malware distribution. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were explicitly extracted, the presence of external URIs and the overall classification suggest this PDF is designed to trick users into visiting a malicious site, potentially leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7450

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/123?utm_term=27+books+of+the+new+testament+in+order PDF link annotation
    • https://site-1168055.mozfiles.com/files/1168055/goredasatodedamun.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4485004/normal_5fdf178732f13.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4426972/normal_5ffbc9a3b0f47.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4453560/normal_5fcf9e2f2930f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421639/normal_5f98ab3c6d222.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4392444/normal_5f91220073591.pdfIn PDF document text
    • https://site-1177098.mozfiles.com/files/1177098/tidinotapuvuvixevod.pdfIn PDF document text
    • https://site-1246416.mozfiles.com/files/1246416/72438142494.pdfIn PDF document text
    • http://relizebewugigad.22web.org/66708739114.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4386828/normal_5fa2b1240793f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4476434/normal_5fe2476f9410f.pdfIn PDF document text
    • https://site-1178085.mozfiles.com/files/1178085/fubukezagewipolakakes.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4421468/normal_5fc8eb0b88b59.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4502920/normal_60063c718904e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.orgThisIn PDF document text
    • http://rimalapotozuf.epizy.com/93788271885.pdfIn PDF document text
    • http://nerelikeg.epizy.com/gwent_arena_guide.pdfIn PDF document text
    • https://s3.amazonaws.com/wuzalugiseto/jejuzanuwivomul.pdfIn PDF document text
    • https://s3.amazonaws.com/sugaguxagu/web_design_proposal.pdfIn PDF document text
    • https://s3.amazonaws.com/tevomenil/nuteg.pdfIn PDF document text
    • https://s3.amazonaws.com/varolexexus/wa_learners_permit_test_answers.pdfIn PDF document text
    • http://jidodurej.epizy.com/zatebatovuruku.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://scripts.sil.org/In PDF document text
    • http://scripts.sil.org/OFLAbyssinicaIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000297e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x297E7 6500 bytes
SHA-256: 1b3afb5dc8d15c4064ce8c4487f33ae88a40fc73fbe974b970ce216cc92458cf
font_01_sfnt_off0002a81b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A81B 5528 bytes
SHA-256: 49d01143b536b667e3bd8ce0a7fca2909a97b3ed18d351e4de36d246b9914ec3
font_02_sfnt_off0002bad5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2BAD5 20568 bytes
SHA-256: 7a2542c00c9f73eb74cb20a6c863a5ff14f80b69eb4a34c38dbb410b39374d7d
font_03_sfnt_off0002d9aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D9AA 18876 bytes
SHA-256: 391dcb5d186312b237dfc9e92a5415486013cc611553d7c1de7dbb2874781caf
font_04_sfnt_off000312e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x312E7 16460 bytes
SHA-256: c7743f0a541917256e7bd80c437b8a8ce16354eb33f23c608241fc7619d4d35e
font_05_sfnt_off000328b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x328B3 6896 bytes
SHA-256: 2889b475c25653c9b216be7b1152dac214f74d31997577bb8ccc0b057fd11fd1