Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b6714174f45f64e…

MALICIOUS

PDF

69.3 KB Created: 2021-05-31 02:18:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 88b1a8e0ceb27f02b7aa4351f78a2a2c SHA-1: 5d739a5de2cd2f26a7915554d5bb8e6729c1e69d SHA-256: 9b6714174f45f64ebe4ebcca9e8cc5ffa8f70aebe2b131123c5f54e09c58bd74
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with a high risk score. It contains an embedded URI pointing to a suspicious domain, which is also listed as an IOC. The document body and metadata contain obfuscated text and references to wkhtmltopdf, suggesting it was generated programmatically to host the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=the+nonliving+things+in+an+ecosystem+called PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4409113/normal_5fec173502c19.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466140/normal_601ca1d031f2a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4428052/normal_606cc342b8a04.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402289/normal_5fe7e96ea157d.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501204/normal_605b986e6cc15.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475389/normal_5fd15ad0b5514.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4421639/normal_5fc97a57076d1.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4474191/normal_604b336ca9894.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4375353/normal_5febb5c6bfa7e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377115/normal_602c77a1865ff.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4376858/normal_5fdc16b00ef79.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4484365/normal_6058cac7a2653.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4447647/normal_60343e3cce559.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4467285/normal_5fcd0a3f154f6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4452217/normal_5fdb7c0dcc1e3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4380080/normal_5fdb04d180873.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367922/normal_602929d316366.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4453553/normal_6032a57d072db.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4420248/normal_5fe7bd4ba72b3.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4368949/normal_5fc980e4e8c7e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/f73d8434-3c9f-4fa9-981f-9aff89bed921/medidas_de_block_de_concreto.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6fec660b-9619-4f5c-8edd-ee775677fde1/sarah_j_maas_a_court_of_thorns_and_roses_book_5_release_date.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c30ce56f-c567-4b2f-88b1-b99fa96d2199/6625171963.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d29a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD29A 5368 bytes
SHA-256: 7246922fca5e918f2be7f54b8684382ffd41d8cfeb3b6c33ddb29f5721211344
font_01_sfnt_off0000e4cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE4CC 10176 bytes
SHA-256: cb3825f0904f8879d3605c40d792806077345f3c5d2f864c793889ccb3855476

Open this report in the interactive analyzer, or submit your own file for analysis.