Malicious PDF — malware analysis report

Static analysis result for SHA-256 9417ba8c2a3269b5…

MALICIOUS

PDF

67.8 KB Created: 2021-06-10 08:25:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: b22a1f1e885ac9f6119246b2348e01c7 SHA-1: 10ba8febec6faa191697e806e892e922fe9cbab8 SHA-256: 9417ba8c2a3269b56bc2e51123877bff963c7104752470d7b296fc69cc097b41
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7936

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=joystick+app+for+pokemon+go PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/de776a93-32d3-4a7a-aa4a-2a78ba8cdcc9/natesebew.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e949cafd-a2fc-4a3c-8acb-8d72b2928d20/xazusuwovofalofoxinokos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/28a9f628-a517-40e3-978d-1dc9788e1e06/sisurisomulekiwepuzet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2cce0bce-88dd-4c78-a08f-7558960ebe5c/zotoseduk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e14a44dc-060d-4d7d-9600-1d0f21e68d61/hp_deskjet_2546r_not_printing.pdfIn PDF document text
    • http://sodopateduke.pbworks.com/w/file/fetch/144427158/yaris_2007_service_manual.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b0c412b-4f66-4137-a350-02359dfb7c1e/what_kind_of_oil_does_a_2003_honda_rancher_take.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/735a123e-7c73-449f-805d-951a4b517ef4/what_are_the_barriers_to_communication_with_examples.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/58982164-b745-4742-b1a7-f3477463f767/1827816361.pdfIn PDF document text
    • http://jajafad.pbworks.com/w/file/fetch/144419145/suvarudezi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/89b2c911-c116-4c69-bc78-8156c043ff57/wolipenenujafiniwoj.pdfIn PDF document text
    • http://wamotarirup.pbworks.com/f/gomamalopeveba.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bb64a60b-5b40-475c-a2d5-cad681a74de3/roku_24_inch_tv.pdfIn PDF document text
    • http://rujuboxu.pbworks.com/f/feenstra_and_taylor_international_macroeconomics_4th_edition.pdfIn PDF document text
    • http://damopijos.pbworks.com/w/file/fetch/144498918/towamazuwebene.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/34838b2f-f8ec-44be-97bf-54ecb9ef2f16/64538392920.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8645c4e4-3e15-4ff1-9432-b718f7f075f4/picsart_premium_full_unlocked_apk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1eb576e1-97b0-4591-b582-09340ad3522f/49420380963.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1e7a73ec-4606-479b-b360-ec8ba426548a/how_to_cope_with_rainy_weather.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e9041dc4-9268-477e-ac6c-4385d43d31c2/mens_hairdresser_near_me_open_sunday.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f9e7cca2-d5b5-4b8b-8b40-3abe7c63b553/gta_vice_city_how_to_get_money_cheat_code.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ddd6e6f0-c848-4953-b867-7f0b9240e085/why_does_a_patch_of_my_skin_sting_when_i_cry.pdfIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f173.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF173 5248 bytes
SHA-256: 35bd0e0b308889f152e0d165d87c4b551ac3c791a143b2e708a577d2d54de170