Malicious PDF — malware analysis report

Static analysis result for SHA-256 702c37735b897272…

MALICIOUS

PDF

79.1 KB Created: 2021-05-23 17:41:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 1bed8d9b007d7d7289ff75c5ad1984d0 SHA-1: e25fe238fb3c651d7e29c7c49977d75c7330fb12 SHA-256: 702c37735b897272dec55cf7c9751c3d1482cda6ac83bc6454d95713df0051ba
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a lure related to making moonshine, which is a common social engineering tactic. It embeds a URL that likely leads to a malicious site, as indicated by the ML classifier and ClamAV detection. No scripts were extracted, but the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious external resource.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9783

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/strik?utm_term=how+to+make+moonshine+still+step+by+step PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4404313/normal_5fc696eb5d9de.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451545/normal_6014467d824c7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451025/normal_606dfdca85e1d.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/nutanigonu/budisopipamepikus.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/875df301-e315-4c39-8c16-dee5cef9149e/reading_comprehension_practice_4th_grade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c5b0e2d-3f14-4269-bd01-f7d140e85580/70751735881.pdfIn PDF document text
    • https://s3.amazonaws.com/lanaladu/pensar_rpido_pensar_despacio_resumen.pdfIn PDF document text
    • https://s3.amazonaws.com/votubukaxogilix/bemodo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b6e657f-3d4d-4158-92cb-993a4044b99f/kirofamiropataf.pdfIn PDF document text
    • https://s3.amazonaws.com/nademopor/animation_start_delay_android.pdfIn PDF document text
    • https://s3.amazonaws.com/likerajatob/melhor_app_espio_para_android_gratis.pdfIn PDF document text
    • https://s3.amazonaws.com/zeworibuzoza/sakiwexapefobejofegozivo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2f6f5acf-41fd-4b42-9235-97b8bd5e586c/82528021121.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cb02e33a-eac6-43b0-b3c4-b8e9125a6b6f/35131314241.pdfIn PDF document text
    • https://s3.amazonaws.com/vonutavekip/calorimetry_worksheet_with_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/jamuluvuvava/gf07_mini_gps_real_time_car_locator_tracker_magnetic.pdfIn PDF document text
    • https://s3.amazonaws.com/zisulamisozoto/jojivedetivogafobojesiw.pdfIn PDF document text
    • https://s3.amazonaws.com/xupizewuxere/melologa.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010515.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10515 5324 bytes
SHA-256: 7f3bee9d6581e39ca2e1c24da38b80b1403b5972a850ce802379a628383b0b85
font_01_sfnt_off00011718.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11718 11560 bytes
SHA-256: d9b1d0f7514b6c3041525a641b72bfef101254ec62c56b563f17c2191dc86244