Malicious PDF — malware analysis report

Static analysis result for SHA-256 96b056bae773e353…

MALICIOUS

PDF

557.7 KB Created: 2021-04-05 01:19:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 40d316086fd4b56a96a5ba70cf4f671a SHA-1: ee2af8a4c16b5849dbd53ef5a65e4530dbfee3e5 SHA-256: 96b056bae773e35324e21efe934d5a7b746880dac4c903161c7aad957a0257dd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a URL that mimics a search result for a textbook, suggesting a phishing or social engineering lure. ClamAV detection and ML classification further indicate malicious intent, specifically flagging it as a phishing trojan. While no scripts were directly extracted, the presence of embedded URIs and the nature of the detection suggest a pattern of malicious document distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7873

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=lippincott+biochemistry+6th+edition+pdf PDF link annotation
    • https://cdn.sqhk.co/rorexamuviz/8U5GjcU/gaming_soundboard_ringtones_notifications_sounds.pdfIn PDF document text
    • https://xizonadap.weebly.com/uploads/1/3/5/3/135326441/sowun.pdfIn PDF document text
    • https://rewumakabaw.weebly.com/uploads/1/3/4/8/134856880/2512162.pdfIn PDF document text
    • https://cdn.sqhk.co/wesaduleb/cjagfge/pijabaladare.pdfIn PDF document text
    • https://cdn.sqhk.co/bigulikexupa/yhjKjaC/crunchyroll_naruto_shippuden_episode_419.pdfIn PDF document text
    • https://fomoxejuj.weebly.com/uploads/1/3/4/0/134000143/kelasojo_sajaput.pdfIn PDF document text
    • https://xisisaxukuvapun.weebly.com/uploads/1/3/4/6/134659200/vusevuvimupe-vimudufewesiwi-waneposobux-mozobipafuw.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://fab88ded-2f12-46c9-b6ec-f290036286cc.filesusr.com/ugd/cce69c_88cbe864ebc94dfa839a49f9538bf894.pdf?index=trueIn PDF document text
    • https://4da44922-6ee1-4515-aed7-54c3d6b51f77.filesusr.com/ugd/243a28_0073cbce5c4f488abaf81f5919353307.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/e8a2354a-c056-4a0f-9873-ccf5d680a695/pesirisatoxulob.pdfIn PDF document text
    • http://gelulunex.epizy.com/vocabulary_for_ielts_writing_task_2_band_9.pdfIn PDF document text
    • https://9afb1793-bc57-4514-bb46-74e980466609.filesusr.com/ugd/11f207_9bf2e66671db4606814dfa07f3a934b3.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/tolivajupeku/75892531332.pdfIn PDF document text
    • https://s3.amazonaws.com/tibitexil/baixar_jogos_xbox_360_formato_iso.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c093eaee-80ea-4227-a44d-f5d9f652f20f/dufitovakugam.pdfIn PDF document text
    • http://sabinozugi.epizy.com/asi_hablaba_zaratustra_friedrich_nietzsche.pdfIn PDF document text
    • https://s3.amazonaws.com/xezonijida/95517298182.pdfIn PDF document text
    • https://s3.amazonaws.com/xoxaneral/minecraft_map_not_working.pdfIn PDF document text
    • http://wolujalazov.epizy.com/bennie_and_the_jets_sheet_music_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e71df9d-8503-4382-879b-325991fe754b/begunamiwiwirir.pdfIn PDF document text
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_04802670670b49a6b43195876d60b122.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000867d3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x867D3 5488 bytes
SHA-256: 5caf35e9a12948e18fbeba4181e17ba50c29f49f805ecc874b20826bc5ba9ee6
font_01_sfnt_off00087a61.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x87A61 13348 bytes
SHA-256: b237b7b07d8524268e0ed66a387ecb319b06b8dbdd483a43fa4c2256bfbd450a