Malicious PDF — malware analysis report

Static analysis result for SHA-256 973652932b1674df…

MALICIOUS

PDF

66.9 KB Created: 2020-12-03 19:07:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ec1c989f2321721314c379b09a2b0877 SHA-1: 1c1246ef808f4f631b31e553f26272b154cca98a SHA-256: 973652932b1674df22b8186a771bd41f1280aef4b80e5bc02d3cdba31b91a592
76 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a PDF document that uses a social engineering lure, instructing the user to install a browser update to view content. This is a common tactic to trick users into downloading and executing malicious payloads. The ML classifier strongly flagged this PDF as malicious, and an external URI was found pointing to a suspicious domain.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?utm_term=uc+browser+full+exe
    • https://rowagikej.weebly.com/uploads/1/3/4/6/134678960/215215652dc67.pdf
    • https://dubuzimonovox.weebly.com/uploads/1/3/4/3/134347386/gebulovifig.pdf
    • https://gimejexoxixaza.weebly.com/uploads/1/3/1/8/131872185/monirafulowafix.pdf
    • https://nivufojafofe.weebly.com/uploads/1/3/4/2/134265756/lonudeminekomowabuw.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/dazifozixawus/fonodekeli.pdf
    • https://static1.squarespace.com/static/5fc13e7dd49dd12447366960/t/5fc51b743570fb44d1a5af89/1606753141200/88574260.pdf
    • https://static1.squarespace.com/static/5fc0bebbcd1e280355d37542/t/5fc17534e18c5c478e32dead/1606513973436/85327529744.pdf
    • https://s3.amazonaws.com/moduxanakuri/cyanogen_os_12.pdf
    • https://uploads.strikinglycdn.com/files/dcf15cbb-dba5-4f9c-8b4f-5a56d332ac90/calories_in_a_bbq_pork_chop.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbd0df33ca23154c95db2f7/1606225396611/gy6_wiring_diagram.pdf
    • https://static1.squarespace.com/static/5fc0d57abd14ff0dd29c5223/t/5fc1146ee18c5c478e220ad4/1606489198873/dorodage.pdf
    • https://static1.squarespace.com/static/5fbfe895e5c7695ca99606f9/t/5fc14e37173fb5383bd2e42b/1606503991827/chapter_6_study_guide_physics.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cad7.bin
a85538aadb9bf2a523975fbbf99d2576fcc2324537d2f2a01a38db2bdaab8958		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCAD7 4956 bytes
font_01_sfnt_off0000dbe2.bin
6ad9c554ed884f0fd257274d3265aa691a3ee76c21a1b8633d9f7b82ef4a6e8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDBE2 10248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.