Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d44338566b836c5…

MALICIOUS

PDF

71.7 KB Created: 2020-12-28 05:40:20 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-02
MD5: 436afccdab71bddfe90e5b4b82c6d2ad SHA-1: d2bbaa072b5d860c14026f8e67cf129002113f4d SHA-256: 6d44338566b836c500ab40d13fe9a7a06f27af67c9ce9c8d4049020c57186bad
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URL pointing to a suspicious domain, which is likely used to deliver a secondary payload or conduct phishing. The document body, though heavily obfuscated, suggests a lure related to free templates.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/aws?utm_term=free+cork+board+powerpoint+template PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4417537/normal_5fc27edda1935.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380086/normal_5fc480e040726.pdfIn PDF document text
    • https://cdn.sqhk.co/boxokozofe/vRgg5jg/classroom_management_strategies_for_teachers_ppt.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4483586/normal_5fde8f125c0b6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4419820/normal_5fe15f1bc03fd.pdfIn PDF document text
    • https://cdn.sqhk.co/mekizojo/gfdZhjW/physics_puzzle_games.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366639/normal_5f9fdb3ab2aea.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/zatazewoz/baldi_s_basics_online_no_unblocked.pdfIn PDF document text
    • https://s3.amazonaws.com/lunojol/microsoft_access_tutorial.pdfIn PDF document text
    • https://s3.amazonaws.com/jolituzoji/50031364197.pdfIn PDF document text
    • https://s3.amazonaws.com/wukara/accessories_website_templates.pdfIn PDF document text
    • https://s3.amazonaws.com/jexijer/23742521974.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db56.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB56 5292 bytes
SHA-256: e57ca09aa2133604fb45c06025bab894cda6b6d4f13fdeeea83047ed22c836bb
font_01_sfnt_off0000ed56.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED56 10840 bytes
SHA-256: b8d6604e06c47af2b7f2d9143eb0a27ab258aff3fc17d9716528118b4adf6c89