Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bffeac19067bfb5…

MALICIOUS

PDF

79.2 KB Created: 2021-05-28 09:00:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: dba7d2b1ece72453900737696557ddc6 SHA-1: 0056dae56ce64c14e04707fd67c2fe08b829ab20 SHA-256: 6bffeac19067bfb5929f16e38c3bdce401e3704df494d0b5a51d707e6234a0c4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a URL that is likely intended to lead the user to a phishing or malware distribution site. The document body, though heavily obfuscated, contains text related to search queries, suggesting a lure. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=how+do+i+write+a+good+biography+about+myself PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4496582/normal_5fe81b8e4d20c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4371272/normal_5fcccd72b393b.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4372980/normal_5fc66a98c3e32.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408706/normal_600f4f7ed6f10.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4487419/normal_5fc5bf70e5afd.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4369182/normal_5fed036114c9b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4476285/normal_606cb410b8d62.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465263/normal_600308da0c880.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6b92098-1522-40dc-9ffd-bd13e308070c/miracle_box_setup_crack_latest_version_2020_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/018c9da6-c399-4917-99b7-c17fcea12e71/bejeweled_3_android_apk_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b683f725-c226-40d8-9918-a076019745dd/scary_stories_to_tell_in_the_dark_monsters_explained.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ffe433c4-01a3-49b4-96e9-5b635567e3a9/56433033659.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/023b44bd-8446-464d-8bba-6150384cafef/john_maxwell_leadership_training_online.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/21de406f-514d-463a-9487-3faaff51f95f/12910253779.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/445f0497-b14a-482b-9965-2b6a019d3d89/32253712672.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e07e30ec-579c-47e6-9874-22b9f64f6c10/speed_queen_washer_parts_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a25e175-fd68-4166-9e28-8b1a9510c754/xamidufebokuwebesa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/37dcd710-7b06-413a-aed6-7b1993a5388f/47568624485.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8c9006e1-ba54-499e-a647-66d9e6df00e5/a_raisin_in_the_sun_movie_analysis.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94a17371-558c-4a44-b033-51902f0a67db/49294533575.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f510.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF510 5748 bytes
SHA-256: 7f3c06f97783390893a705e8722253e24bbf45d96f1b2ca82d166053912c242b
font_01_sfnt_off0001088b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1088B 10876 bytes
SHA-256: 457756611e15b49b4904c8dfa64a74ed37e7714401fbbfa66af2b74a4dee0faa

Open this report in the interactive analyzer, or submit your own file for analysis.