Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a3eed54ed42d70c…

MALICIOUS

PDF

75.4 KB Created: 2021-04-01 02:56:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 8a10fe7b948e61794c5c5a7d52ab622d SHA-1: ec3a24a3f9df7635fbac8cdc4829cbd022de10b9 SHA-256: 9a3eed54ed42d70c36a7e67556a17970f1cf1e88233cf3716e87d24b338f7fba
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/123?utm_term=atto+disk+benchmark+free PDF link annotation
    • http://bbcua.site/38742277897iiupx.pdfIn PDF document text
    • http://submonster.xyz/adobe_pack_subs_adobe_saggarten2bgpz.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4401540/normal_5ff9efce93a82.pdfIn PDF document text
    • http://verifiedbadge-lnstagram.com/amores_verdadeiros_telenovela_capitu7lgou.pdfIn PDF document text
    • https://cdn.sqhk.co/zutujodara/jdiirig/climbing_trail_running_shoes_for_hiking.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4499283/normal_605012e098dbf.pdfIn PDF document text
    • https://cdn.sqhk.co/wefonasifaza/jigigih/vetozomuzibijatajirigajij.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376856/normal_604f5743b2167.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4421768/normal_5fe0661d4d1eb.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4421613/normal_5fef1bb46a241.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/ccacb891-616f-43a2-963f-4e74f685ca8f/le_petit_nicolas_book_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f8ebfb95-6899-4599-9fcd-349b1da1017d/does_sams_club_sell_deep_freezers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/49107b8d-46fd-41a2-8060-abfc26102002/ti_nspire_cx_ii.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6b4ae791-142b-4756-bfa9-8d18d9acc7de/is_there_going_to_be_a_season_two_of_nancy_drew.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c7b4765c-c57e-4ff1-8f13-6ae22d0bed0c/does_mind_control_body.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8abb3c4-b297-49e3-86be-d87fab316891/30186033587.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3e898d5a-d563-4f63-bf9f-9ffc6e254e0d/11868094405.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/baafc483-6428-460a-bc9a-06622dabd269/telugu_short_stories_with_author_name_and_book_name.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e848.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE848 5424 bytes
SHA-256: 4191111342d69f79f6854d6f45862af31c2924536e48e86341d4595453231f7b
font_01_sfnt_off0000fa8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA8D 11216 bytes
SHA-256: aea409ff8632de3dc126e0e81491ab19eecb8584a4ee5d6b9f4901ec6537d83d