Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e5a18daa536c90a…

MALICIOUS

PDF

157.9 KB Created: 2021-03-11 22:07:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69a531a7c359da02918471ee0e2f56c3 SHA-1: baf5262e6405269f4975e52d102ddd4f8ef0d392 SHA-256: 8e5a18daa536c90a5c9182b529705b0b46bb6e7db65121bcb3ddbec603a31417
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV. It contains multiple embedded URLs, one of which is `https://golowaki.ru/123?utm_term=asiatic+lions+images`, suggesting a phishing or redirection attempt. The document body is heavily obfuscated and contains metadata indicating it was generated by `wkhtmltopdf`, a tool often used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9730

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=asiatic+lions+images
    • https://karoxenerom.weebly.com/uploads/1/3/0/7/130739074/2404f.pdf
    • https://cdn-cms.f-static.net/uploads/4463263/normal_602fc489a07a6.pdf
    • https://wovupidej.weebly.com/uploads/1/3/4/6/134687137/bedigukus-gelux.pdf
    • http://trikotoria.ru/aC59FkC4B1mC4B1n_beden_dilirjyt9.pdf
    • http://leaninrzpd.site/sunbeam_electric_mattress_pad_full_size1w8mj.pdf
    • https://cdn-cms.f-static.net/uploads/4476941/normal_6016a5825c2fb.pdf
    • http://onlinetyz.xyz/dezutiwapoxekusoqntpa.pdf
    • http://grenkasalo4.xyz/vadojoporopakeloduguluka5599g.pdf
    • https://cdn.sqhk.co/burajugi/iiiheig/zombie_exodus_safe_haven_part_3_demo.pdf
    • http://help-copyrightviolationhelpcenter.com/how_to_make_origami_crane_with_origami_paper6imoa.pdf
    • https://cdn.sqhk.co/xetokive/IUhhiYN/27702044046.pdf
    • https://vaseviga.weebly.com/uploads/1/3/3/9/133986607/ce0c0fd7de7.pdf
    • https://cdn.sqhk.co/vopuvafamiw/bLOhjgj/nubanugigum.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.thdl.org/http://www.thdl.org/Tibetan
    • http://fedorahosted.org/lohit
    • https://s3.amazonaws.com/jinabisura/android_studio_gradle_update_dialog.pdf
    • https://s3.amazonaws.com/sinadi/how_many_beets_per_pound.pdf
    • https://s3.amazonaws.com/mesixadelomomo/26754696714.pdf
    • https://s3.amazonaws.com/tarajix/28762385168.pdf
    • https://s3.amazonaws.com/potamotaz/36660510001.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.htmlTibetan
    • http://www.gnu.org/licenses/lgpl.htmlRegularDanhHong
    • http://www.geocities.com/dnhhng

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00023630.bin
c564e6bdc00511f95d5cc26ffdf1969a07c633766c22b29a74af400db1e3fa86		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23630 21044 bytes
font_00_sfnt_off0001c868.bin
74d1fe18c1d052f7e8797ffe377f338299ebcbc17038d1370eb7e53f7492491e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C868 3188 bytes
font_01_sfnt_off0001d3be.bin
a3179bfc62e20a26a452b4ee812586d85d3cfb2ba8697b7bc4f8f264d8389332		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D3BE 5012 bytes
font_02_sfnt_off0001e4bd.bin
afb6ff79b4b1cca921598d5963b4db958bb2536f6021fa3fdb9621ba9a224771		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E4BD 9448 bytes
font_03_sfnt_off0001f813.bin
4f3d14c5ed3c8d017228a9b80724c6e16b70df913e68f00ff3b59c35dcda9d32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F813 4780 bytes
font_04_sfnt_off000206b2.bin
c266978633b737c8f98702861fae9a5f37d7182fd34a3be49f4224a93ffbb5b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x206B2 14800 bytes
font_06_sfnt_off00025a45.bin
a5793a311de582eae68ad69c1053d02126e73abaea59afd89725083333eaeff1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25A45 3488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.