Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f43923de4190f21…

MALICIOUS

PDF

66.3 KB Created: 2020-12-15 14:49:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-01
MD5: 74b30b86443c6178ad9300e8608abd0c SHA-1: 259a7f87ee6432c08265a5de98e50628400ce56b SHA-256: 7f43923de4190f2147473d73aea8e2070057b81a7f2642dc8a8ecd57102dcb50
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/123?utm_term=sulfur+valence+electrons+orbital PDF link annotation
    • https://fibakuguzisenib.weebly.com/uploads/1/3/4/5/134594550/wufenazerujiliwam.pdfIn PDF document text
    • https://tutofegabosig.weebly.com/uploads/1/3/4/7/134725810/rujerip-nepoxen-kajedanesunek.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jezekemunidup/29467175435.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbcfa7fec0a1d2b4e559263/1606220415577/levi_roots_target_market.pdfIn PDF document text
    • https://s3.amazonaws.com/netinuwa/define_selling_process.pdfIn PDF document text
    • https://s3.amazonaws.com/batiku/kolenali.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc0e92a0a2757459be2ed0b/t/5fc476e04f983757206e9f91/1606711008043/lifeson_movers_iowa_city.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b31a38e9-72b9-409d-a9b7-57850ef9688b/nobozifasiminadovadof.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b2d5317-ddf8-4ec9-87d4-8e013b8e8ffc/vigegig.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc537998787e879898820f8/t/5fc7c85fdfe7bb6ff60e389c/1606928481737/history_channel_cuban_revolution.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/07efcc3c-9272-4f24-beaa-931d4229e9e8/69229151857.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc1e09fbdb33045eec91c30/t/5fcd20f32fa8bc6bcdf093d4/1607278835146/gifabunoru.pdfIn PDF document text
    • https://s3.amazonaws.com/rerinago/rangkuman_biologi_sma_lengkap.pdfIn PDF document text
    • https://s3.amazonaws.com/dorulusof/procedure_of_filing_charge_sheet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/77a21b18-a2cd-4c35-bfd7-bc0a8081792c/55186378805.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c943.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC943 5180 bytes
SHA-256: 7a1de515855fa5fea3752ad7eb49e064dd9c7a361ef41f1bd5f2ed6b89652223
font_01_sfnt_off0000daf5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDAF5 9828 bytes
SHA-256: ef16e4fe49574e0c31e09dd31347e921f97eea808138e678e89da7a93b363cd9