Malicious PDF — malware analysis report

Static analysis result for SHA-256 8db22bbb4742e052…

MALICIOUS

PDF

78.2 KB Created: 2021-03-29 07:51:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4b199963d9884ca1be94ba74636ed80 SHA-1: 5d6c4bc21a7315fc99a292b7cb98e1b13c254479 SHA-256: 8db22bbb4742e0523aa6536f121f2ca231a8f6e7cd74539e2c6f954915cf15b8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URL that appears to be a lure for users searching for 'wifi usb printer hub'. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/wix?keyword=wifi+usb+printer+hub
    • https://cdn.sqhk.co/fubafonu/Thb5H2P/stickman_soccer_2014_android_1.pdf
    • https://cdn-cms.f-static.net/uploads/4417813/normal_600eea25f2ce2.pdf
    • https://cdn-cms.f-static.net/uploads/4444102/normal_602aec2150855.pdf
    • https://cdn.sqhk.co/nedupugifuka/hejighy/join_shoot_clash_3d_mod_apk_happymod.pdf
    • https://cdn.sqhk.co/talurelope/jhbiakp/52344880173.pdf
    • https://cdn.sqhk.co/kikolibub/cggflN4/verbal_written_warning_template_south_africa.pdf
    • https://cdn.sqhk.co/wizokawoxo/LQij1gi/highway_1_closures_santa_cruz.pdf
    • https://cdn-cms.f-static.net/uploads/4387709/normal_601bb1bf70c88.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2eb3e61f-02fb-497a-b188-27a34239fc8e/flores_del_mal_al_lector.pdf
    • https://03dfb0eb-7fe6-4188-ad87-ea2b88df7b19.filesusr.com/ugd/f967ac_1b490f8c67504a6f801c4707ee13f67f.pdf?index=true
    • https://b9b086bb-db5c-4c47-b99c-4ca3d8c772c1.filesusr.com/ugd/c090b7_2fc7930d6250427ab36b142bbc5202be.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4879180e-64ee-4799-aeab-35e7a7eb6b48/garmin_approach_g62.pdf
    • https://s3.amazonaws.com/tisegovofu/krugmans_economics_for_ap_third_edition_answers.pdf
    • https://s3.amazonaws.com/xapidajovaji/el_diario_de_greg_1_un_chico_en_apuros_pelcula_completa.pdf
    • https://s3.amazonaws.com/zarusegibitumet/68235364603.pdf
    • https://uploads.strikinglycdn.com/files/434a61cb-ee91-430c-9dc9-0f6c3826adde/why_is_my_fluval_filter_not_working.pdf
    • https://uploads.strikinglycdn.com/files/328a840d-0b4e-447c-8339-6807e680df9a/wisc-v_subtest_score_descriptions.pdf
    • https://uploads.strikinglycdn.com/files/787209cf-e0e7-4d8d-b14b-188253182465/wadozojenejatijipew.pdf
    • https://s3.amazonaws.com/metubevozisul/xivikuvuzekabo.pdf
    • https://3c3a732a-bc26-4be5-bc29-345d3dbc3408.filesusr.com/ugd/63a963_8ba0b2239add42d9b74e795d588cb5ae.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f5a5.bin
d68c35662193084469d7e32051fce4bda431b3f1013565b651207513a2ffec09		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5A5 4900 bytes
font_01_sfnt_off0001065a.bin
a0ef35fb9074862cf0d7ef0ba55d7d3d21ef70d601a4de33389682e9206ffbf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1065A 10984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.