Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ea295dd92ac84e4…

MALICIOUS

PDF

87.4 KB Created: 2021-03-05 03:01:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 54b8e18abc9a1aba045ef01fdd4da8d4 SHA-1: d4590528c37be1287d4a0a1bc9dc44e00dbb93cf SHA-256: 8ea295dd92ac84e4fb59021f357f6f98eda68e61872f2f8383d572d8e62377e4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=us+navy+seal+crest PDF link annotation
    • http://fodekofuxuvum.sportsontheweb.net/parts_of_speech_quiz_9th_grade.pdfIn PDF document text
    • http://fomigiv.mypressonline.com/ge_logiq_e9_xdclear_2.0_datasheet.pdfIn PDF document text
    • http://miiliioner.xyz/99792129213qh548.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4479214/normal_601fde10717fa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470209/normal_603acf754cf1a.pdfIn PDF document text
    • https://mabatuba.weebly.com/uploads/1/3/5/3/135303696/5115181.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481173/normal_5fcc2c6a3bc4a.pdfIn PDF document text
    • http://mapotilij.mygamesonline.org/a_long_obedience_in_the_same_direction_review.pdfIn PDF document text
    • https://lutigasudubuwa.weebly.com/uploads/1/3/2/6/132695203/47e6e42e89810.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464524/normal_603edab85652d.pdfIn PDF document text
    • https://pufoputinagof.weebly.com/uploads/1/3/4/2/134234879/wegisimuguwijug-fuderugidini.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465144/normal_6029d8d63650a.pdfIn PDF document text
    • http://glawerry.online/32963988555sj4hp.pdfIn PDF document text
    • http://komozazene.getenjoyment.net/trane_xr13_model_2ttr3030a1000aa_manual.pdfIn PDF document text
    • https://kapadarobuziwel.weebly.com/uploads/1/3/2/6/132696145/e1a6fedcccf.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/ximupuv/damodarastakam_in_sanskrit.pdfIn PDF document text
    • https://s3.amazonaws.com/mikibetiv/rainbow_fish_for_sale_uk.pdfIn PDF document text
    • https://19f621d4-ab03-49b5-bf1d-c78de40104d4.filesusr.com/ugd/bc84a3_61241872af6e433088504e908abb4f06.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/lofese/hillingdon_hospital_cqc_report_2017.pdfIn PDF document text
    • http://sasukagisodubex.onlinewebshop.net/dead_to_the_world_book_series.pdfIn PDF document text
    • https://s3.amazonaws.com/fuwuzerijofa/basic_spreadsheet_app_for_iphone.pdfIn PDF document text
    • https://0503187d-52cd-4237-9521-a3cb9bf551ae.filesusr.com/ugd/5bb01c_4daf82f619044531a933627b56a73c01.pdf?index=trueIn PDF document text
    • https://ddb0fe67-a09a-413d-b59a-c21b1dde3186.filesusr.com/ugd/3f0e57_984111132033433186b1eb27669d69a6.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/zerepuzuze/core_critical_thinking_skills_examples.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000118a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x118A7 4944 bytes
SHA-256: 03ee120453024abeff302f348c3dede1259170c2bdfae3c4b9cdfe36050bca05
font_01_sfnt_off00012999.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12999 11876 bytes
SHA-256: b5ed28d0aa89c7edd4e24668e46bcd73299847428f0cac66ea65047d951a30d4