Malicious PDF — malware analysis report

Static analysis result for SHA-256 735614f9f79b27c4…

MALICIOUS

PDF

80.0 KB Created: 2021-03-30 06:30:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-13
MD5: 71abd766507391c772fa82672ef1a46d SHA-1: 0207ee1fded4f9380248e5a91b81fd3ac953837a SHA-256: 735614f9f79b27c45eb728050c5e554ba49a32c97792509ace41d594c37bae9b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with a heuristic indicating an external URI. The embedded URL 'https://jumiwimov.ru/wix?keyword=turtle+fish+games' is suspicious and likely leads to a phishing or malware distribution site. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDFs from web content, which could be part of a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=turtle+fish+games PDF link annotation
    • http://slimerecipe.org/bhoot_ki_photo_wallpaperirl54.pdfIn PDF document text
    • http://sodalabs.club/powerstation_psx3eu_batteryw0i7q.pdfIn PDF document text
    • http://meetsoda.club/civil_engineering_material_testing_lab_manualywt0p.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413239/normal_600eba8e14da0.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415745/normal_604f1588b9acc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4485308/normal_6001e501a5e18.pdfIn PDF document text
    • https://cdn.sqhk.co/xigofidiw/0G2AggB/download_shark_run_game.pdfIn PDF document text
    • https://cdn.sqhk.co/talurelope/jes0vjd/76826708193.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4421208/normal_5ffe6bfd5a488.pdfIn PDF document text
    • https://cdn.sqhk.co/zogowefu/gdthhQX/define_pog_in_gaming.pdfIn PDF document text
    • http://dehydratedoriginalgoodness.com/luriburikadomul4s8z.pdfIn PDF document text
    • https://cdn.sqhk.co/mevazasid/iicJDwC/tagivovageme.pdfIn PDF document text
    • https://cdn.sqhk.co/xedasuzefer/ic8hehi/stupid_zombies_2_mod_apk_unlimited_ammo_download.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/wutisigila/magazine_design_templates_vector.pdfIn PDF document text
    • https://eae964be-cf9f-49a8-9b2f-00020d526acb.filesusr.com/ugd/e932cf_9f094cadbea54dc983c386722ce68d6b.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zalisujezajaje/truecaller_caller_id_free.pdfIn PDF document text
    • https://ad0d0dbb-669b-46a9-85df-79487014a0f3.filesusr.com/ugd/00d95d_0072ff337d404883a0c0c3da33e668fb.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/dalava/70350446561.pdfIn PDF document text
    • https://366cd995-4ddf-4220-a197-7cea849caf0e.filesusr.com/ugd/947062_70b9f466af2548e291971f6150a7784c.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/muvojugejoxip/jawbone_mini_jambox_firmware.pdfIn PDF document text
    • https://ff06b2c9-6223-4357-b4d5-1bf3807c749f.filesusr.com/ugd/717131_48018a178e304cc8bef2be67ca907f90.pdf?index=trueIn PDF document text
    • https://4f640d82-8365-4c22-93d6-dbd3427c3fb0.filesusr.com/ugd/55e8b7_75eed36ca3354d80b2448ee8f7869217.pdf?index=trueIn PDF document text
    • https://17a6c5a8-0587-4adf-8126-5b439e15a62f.filesusr.com/ugd/54bec1_6454d6a089da435385f1c6fc800f9f56.pdf?index=trueIn PDF document text
    • https://ce322291-b3da-4cc2-ae0f-523e25daec44.filesusr.com/ugd/4530da_c54283e337ae42e48f9912de0b166b7c.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/xaliwalufoguni/chicken_invaders_full_version.pdfIn PDF document text
    • https://45ed8376-e832-497f-ab20-0a31924dc5db.filesusr.com/ugd/4b7290_84b4b672d52d455d90d6a7dd1c09da93.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f132.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF132 4796 bytes
SHA-256: db65248d169a27f5b610ba0c8a78064291d8b770b198b572529301404ac115e1
font_01_sfnt_off0001017c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1017C 10240 bytes
SHA-256: 0f9c816cf16da87407a52b7f816b373f613dc81f3c85009fd16d6dd9edfa486f
font_02_sfnt_off0001248e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1248E 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333