Malicious PDF — malware analysis report

Static analysis result for SHA-256 6afc783e40a17bf3…

MALICIOUS

PDF

162.6 KB Created: 2021-05-28 02:40:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1abb1cc360d1e56b89130d6265deb57 SHA-1: 7bf18a851e68b84e0b32017382aaae3bfe5aadf4 SHA-256: 6afc783e40a17bf3fc45c88bfb5b8da878e9e6eba01156e75df0ac188dd58531
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that, when combined with the heuristic 'Urgency / deadline lure' and the ClamAV detection, strongly suggests a phishing attempt. The ML classifier also flagged this PDF with high confidence. The primary IOC is the external URI pointing to a suspicious domain, likely serving a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=counter+strike+go++free+pc
    • https://cdn-cms.f-static.net/uploads/4380692/normal_600f85afcf2b4.pdf
    • https://butiziro.weebly.com/uploads/1/3/4/3/134308177/kutifesede.pdf
    • https://jadibezunapav.weebly.com/uploads/1/3/4/6/134610372/lelavurofokimu-lemanadixa-nowenuduxe-pejesuw.pdf
    • https://cdn-cms.f-static.net/uploads/4402481/normal_6020b31e0c079.pdf
    • https://xazapadikud.weebly.com/uploads/1/3/1/8/131871762/8382887.pdf
    • https://static.s123-cdn-static.com/uploads/4490934/normal_5fc78eedd2fcc.pdf
    • https://giligigava.weebly.com/uploads/1/3/4/4/134494785/ad6d96992.pdf
    • https://bukenazupe.weebly.com/uploads/1/3/4/5/134584610/6843738.pdf
    • https://static.s123-cdn-static.com/uploads/4481285/normal_5fe06fb8403c3.pdf
    • https://gakulenem.weebly.com/uploads/1/3/1/4/131437742/dobasexuk-nerililo-gefek-viwuzabenenuzu.pdf
    • https://pawomasa.weebly.com/uploads/1/3/4/7/134737305/guvepajinagufat.pdf
    • https://kodikitowi.weebly.com/uploads/1/3/4/7/134768405/3744367.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/af291ed8-b7e2-4377-a93b-ef8e8fea7c4c/way_of_the_five_elements_monk.pdf
    • https://uploads.strikinglycdn.com/files/5795b742-b8b3-48a5-8958-59e7aad62687/webulazemerotaxotevo.pdf
    • https://uploads.strikinglycdn.com/files/b2d1ba84-b647-44a4-9510-1d60123bca1a/can_a_battery_tender_charge_a_battery.pdf
    • https://uploads.strikinglycdn.com/files/04eaece9-636b-4dd4-a226-52bd4e79cf9a/what_are_hr_topics.pdf
    • https://uploads.strikinglycdn.com/files/16015865-ce58-474a-8859-0f54b37f5bd6/miwawupalivazexubomaza.pdf
    • https://uploads.strikinglycdn.com/files/a13c78b4-ff7c-4960-9ed7-07ebaf120bca/monster_inc_mmm_meme_gif.pdf
    • https://uploads.strikinglycdn.com/files/5be229d2-e67d-427c-9bb3-fbf528ffd38b/toyota_corolla_le_2009_engine_size.pdf
    • https://uploads.strikinglycdn.com/files/e102b1a7-c857-47b5-9b94-5aa71b0b391e/burger_king_near_me_contact_number.pdf
    • https://uploads.strikinglycdn.com/files/1e702e57-70d4-466a-a967-5770d0bcb1f4/james_baldwin_the_fire_next_time.pdf
    • https://uploads.strikinglycdn.com/files/50c637e7-3ded-48ed-be08-a39cd55ca86d/rafarefunatekul.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000243b1.bin
5757b9a0f0ccf2ac6ecb2d4c8d1b2f69fe6c28478f5d4d2be2a757efc1d57244		 pdf-font-stream PDF embedded font (sfnt) at offset 0x243B1 4912 bytes
font_01_sfnt_off00025486.bin
48945a9648ba390c02b0d9702cd60489a4332f2e59f7a23ea4f3ecc2bbef3709		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25486 11592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.