Malicious PDF — malware analysis report

Static analysis result for SHA-256 81a9718520c2ef54…

MALICIOUS

PDF

80.4 KB Created: 2021-03-28 12:19:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 3ca72f979350cd1e37e4edd4fcba93e5 SHA-1: 5f271febcc1bd2b1de33629cae079a106ca1cae7 SHA-256: 81a9718520c2ef544ef81d057e944c1845987fe912f6c172f7fd7818cb624b1b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=astra+safety+razor+blades+near+me PDF link annotation
    • http://bioforcecolumbia.site/4267175488mk5ft.pdfIn PDF document text
    • http://ellmax-site.xyz/mitsubishi_tv_user_manual5hyd2.pdfIn PDF document text
    • http://smirno.life/521964530799xsmb.pdfIn PDF document text
    • http://constructionhouse.info/what_is_the_purpose_of_the_criminal_justice_system_in_australialuumr.pdfIn PDF document text
    • http://fullpisetc.ru/firumafabosubibosepopujh2yu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/a64db64c-ce17-4451-afb4-3945d9914f1b/cuisinart_convection_bread_maker_gluten_free_recipes.pdfIn PDF document text
    • https://s3.amazonaws.com/busutafitufe/oxford_inside_reading_2_answer_key.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3bec2a62-5125-4bb5-8d93-9a0db55c6cdb/jezilejesizarisumozef.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de301c5a-b04e-40e6-b88e-dce2cd8482d8/dias_feriados_enero_2019_puerto_rico.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/76adfffb-ee6a-4bcb-9fd1-7a52192e46b3/62173371506.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b4914c18-6f8c-4104-b53f-66a602337ead/24674687938.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/55b24546-5154-4950-8b39-12613bab75c3/kenmore_elite_washing_machine_wont_turn_on.pdfIn PDF document text
    • https://s3.amazonaws.com/fokapikow/64446094612.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fc4773f2-5ccc-4159-98ad-62e7efe0bf1e/24430497044.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6069693d-138d-44ab-acce-1f44775a853f/dutapogararil.pdfIn PDF document text
    • https://s3.amazonaws.com/xomudufe/dell_laptop_latitude_e6510_price_in_pakistan.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/334212a7-e7fe-4b66-b581-7719e2c02af0/jixurowi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8c104b62-2d7f-4ef7-bf1c-8ed1bf0a8216/traductor_ingles_espaol_gratis_on_line.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c726b7d7-3b3f-42c9-b73e-723e6a583718/how_to_make_a_letter_of_intent_for_business.pdfIn PDF document text
    • https://s3.amazonaws.com/wetevali/graveyard_keeper_blue_points_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c17c82b-5b1d-48f8-949c-206a87c7a3cb/free_printable_noun_worksheets_for_5th_grade.pdfIn PDF document text
    • https://s3.amazonaws.com/lovetijif/trend_analysis_balance_sheet_excel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9cf44b03-42fe-4acd-ac38-5774aa31725b/fikaketesasokavijunavase.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef5c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF5C 5072 bytes
SHA-256: 098ca89cbcaada72d724ae061561f8a8d6476ab4c16c9a48e6a5a425a37a2854
font_01_sfnt_off0001008b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1008B 10988 bytes
SHA-256: 23d94ae3b722e0f498172b3eb32f7bf27c292455d300cf232a108b23b69535e1
font_02_sfnt_off000125ef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x125EF 4324 bytes
SHA-256: 0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333