Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f68ed6762c897e4…

MALICIOUS

PDF

116.1 KB Created: 2021-03-31 09:56:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 956029f12e839bb7759f119c1013a983 SHA-1: 240f3aabc7ed33e291d61184a8a3f857469e9543 SHA-256: 6f68ed6762c897e44129490cfb188c96e9975eda63379345e8eb41e936fe88aa
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, contains text related to weather, suggesting a lure to a malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=what+is+the+weather+for+dc PDF link annotation
    • http://pikejofopon.mypressonline.com/english_speaking_course_book_download.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4372377/normal_60002fb7ed5f0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413236/normal_6058fc6ddd0fd.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380543/normal_602a43277108f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4423427/normal_5fe5037044e64.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4491173/normal_5fed9b2d3f8e4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384483/normal_5fd8ff09cb063.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://purezaviwof.myartsonline.com/76245107518.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7af8a40d-5f28-4972-aaa9-dc0f39fa61fd/rawak.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/701693ce-38b7-4fc0-b7f5-b36310e3b80c/english_word_in_marathi_translation_meaning.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c7d8128d-3674-4fd3-88c3-0a2cc84f15c3/ramigagovaxeb.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a6126281-44e9-4933-990e-56a86864501e/dasonopefu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/946fa454-0335-4978-8eee-63eab0077852/ohio_state_university_visitor_parking_map.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7c261f7e-87af-409b-9016-2d3d49aa3c4d/satesaledisuxexikitar.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/42b7fd3d-2531-454a-9c4f-e0cbdba9e907/31285287161.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/25ba92bf-cc3e-4301-b92d-0e1b93e44d44/47305987943.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6fa5c06e-70b9-4ebe-88d5-23d04b950fef/can_a_therapist_become_a_life_coach.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/39966e53-7423-4a53-a662-a706da139a3d/python_dict_append_value_to_same_key.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/32bd8127-777c-4874-bf06-1406f0f5a3fc/27316172276.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a1318fa-5d26-47e8-8cbc-8914b82b8ab1/40403110825.pdfIn PDF document text
    • http://lapetagalelan.myartsonline.com/munojiwetevarezezofotanu.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001875e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1875E 5184 bytes
SHA-256: 8c3b9d1597ad897aa5fa41d99046e81c0f8a2244eadb05a2be017ffbab218559
font_01_sfnt_off00019910.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19910 12380 bytes
SHA-256: c01612383df5536bd77303d277d07c39c9d9626b606b13ab93ab10bc0fbcbb16