Malicious PDF — malware analysis report

Static analysis result for SHA-256 68dc8e9819742a34…

MALICIOUS

PDF

79.2 KB Created: 2021-03-22 12:57:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 0d3279561e65bb90e565b9801f3fd38d SHA-1: 72eb0499f55dbb0fd309c016c2e4f71ef8433a2f SHA-256: 68dc8e9819742a3409027870043293adbd1dec54d9a8a6668069d60c1514163c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=principles+of+business+and+finance+class PDF link annotation
    • https://cdn.sqhk.co/zanotunuzi/VqKtNjb/17246678241.pdfIn PDF document text
    • https://cdn.sqhk.co/dijabidasu/ijejhar/soccer_heads_unblocked_2016-_17.pdfIn PDF document text
    • http://texewofe.22web.org/baldur_s_gate_strategy_guide.pdfIn PDF document text
    • https://cdn.sqhk.co/remokuvupen/cBgf437/ranufizijufenu.pdfIn PDF document text
    • https://cdn.sqhk.co/baxorurifina/337coie/civilization_revolution_2_apk_mod.pdfIn PDF document text
    • https://cdn.sqhk.co/bujasugawo/ck0PrwK/zawolejozedizo.pdfIn PDF document text
    • https://cdn.sqhk.co/jukunobegabe/I8Qgcja/monument_valley_17_mile_drive_map.pdfIn PDF document text
    • https://cdn.sqhk.co/letareximo/heAbqwD/line_driver_game_ad.pdfIn PDF document text
    • https://cdn.sqhk.co/morureju/jhiihd4/videos_de_super_slime_sam_abriendo_juguetes_nuevos.pdfIn PDF document text
    • https://cdn.sqhk.co/fafovewidom/gghgfRW/hit_the_glass_wall.pdfIn PDF document text
    • https://cdn.sqhk.co/noperizapewo/jjfic10/kit_viet_nam_dream_league_soccer_2019_tottenham.pdfIn PDF document text
    • https://cdn.sqhk.co/jirudumom/fwjchc1/providing_telehealth_therapy_across_state_lines.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/d1160ef6-c1a0-4179-bb45-774b19badeb7/how_do_i_fix_my_table_of_contents_in_word.pdfIn PDF document text
    • https://s3.amazonaws.com/gazivemon/sazogexegepekegalaxu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/816c7bd1-0416-4481-bddb-32b39847ebd5/tupise.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cdf60645-0790-4827-9ef1-88638a635fcc/xaduremuwuvezifadi.pdfIn PDF document text
    • http://topeleseluvon.rf.gd/subarachnoid_hemorrhage_treatment.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d985e2d6-7523-4ae5-b0ea-d41a83374624/88928361854.pdfIn PDF document text
    • http://nataxos.epizy.com/a_connecticut_yankee_in_king_arthurs_court_plot.pdfIn PDF document text
    • https://s3.amazonaws.com/rejiner/can_you_sue_for_emotional_distress_in_new_jersey.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6deb1696-44d5-4594-ae67-30aeca542442/8414206626.pdfIn PDF document text
    • https://s3.amazonaws.com/kovozenamofox/celsius_fahrenheit_chart.pdfIn PDF document text
    • http://motinekan.epizy.com/arab_horror_movies.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edaa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDAA 5092 bytes
SHA-256: 1c913623cc049c70ba09325aed9ee1a820e8e4d13ee2558159f0b1be001be3f7
font_01_sfnt_off0000fee5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFEE5 9832 bytes
SHA-256: 165f9864aacdcbc5ab2a16fa921396eaa1b234f3cac750f3c30bf5058f596378
font_02_sfnt_off00012068.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12068 4324 bytes
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e