Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fb1c60cca421212…

MALICIOUS

PDF

108.8 KB Created: 2021-06-08 05:04:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 8596f2cea1ca292cf8662c80de7c23a9 SHA-1: 5ec38cf5ea5541deaf5e76b6320313b229f4e1dd SHA-256: 7fb1c60cca421212f74167c4df30e1a539ad32b0c30074fd6f490d79b70b39ba
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL that leads to a domain associated with phishing or malware distribution. The document body, though heavily obfuscated, suggests a lure related to a book summary, which is a common tactic for social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/pbw?utm_term=resumen+del+libro+el+jardin+secreto+rincon+del+vago PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4426279/normal_602e697446df4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374009/normal_603c40228f9e8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501791/normal_60461ba318583.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4406466/normal_5fc743cc1ccf9.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375196/normal_606e1bea9093d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369900/normal_603be84c6ec14.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4476566/normal_5fe391707173b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4490950/normal_602c3c3896f06.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4391605/normal_5fe10a381dded.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://vimaxojejo.pbworks.com/f/book_understanding_analysis_by_stephen_abbott.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/85446226-7a92-40fd-a9f4-49bc59e2b2c8/30329265570.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c2286537-b952-4e9d-af46-1e8baf070ac7/tizasokufubugiladupu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1a51a6c-f684-48c1-876c-79ab84d58923/42331319272.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bb135854-6e58-48c0-908d-0ed23d2131ae/72155780454.pdfIn PDF document text
    • http://xobapotowi.pbworks.com/f/what_is_the_meaning_of_actions_speak_louder_than_words_in_malayalam.pdfIn PDF document text
    • http://tisowowuduwe.pbworks.com/w/file/fetch/144597000/unfaithful_movie_download_in_hindi_480p.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6c8dbebb-27f9-41a2-acb0-8b54bc13490e/nikon_dx_af-s_nikkor_55-200mm_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0adaf48e-7253-4867-b848-6a2445e45f2e/nora_roberts_year_one_wiki.pdfIn PDF document text
    • http://dagomiwavi.pbworks.com/w/file/fetch/144548394/95293947340.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a7575fc3-74b0-4567-b10a-6ae6603142a4/tevekinogawemiw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fa78afec-2809-43ff-8bd2-e29233264310/who_makes_noma_snowblowers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6fb9f041-6b59-4222-a8e1-a4edd26d6afb/2021_lexus_es_350_f_sport_horsepower.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013ad7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13AD7 5192 bytes
SHA-256: 8e040d07a70d9d512f5786608a7c935af04623359927f4630731e61e4df611e9
font_01_sfnt_off00014d76.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14D76 5540 bytes
SHA-256: 5c76c4f8dc9e7bf6cd8383dd30354efb7cec7a2ee649f8db4dba6901522bb8c4
font_02_sfnt_off0001603f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1603F 12624 bytes
SHA-256: 1a05ecf7665cbd5580ba337f1b88b1a96c0d1a3fb65b066081a833947fc222ce
font_03_sfnt_off0001892b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1892B 17268 bytes
SHA-256: 81c09f19ea8374a8a78d4f819f5a410855dc12a5440fd0412972516967e1cd05