Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c384d2fc96c7ce0…

MALICIOUS

PDF

65.2 KB Created: 2020-11-10 11:27:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc069f232933b04884b202191426a610 SHA-1: d3cf370dfd916ea47cdf704650a8e2ce023d0aec SHA-256: 9c384d2fc96c7ce05fb5ea57e2d5944c2930915c0258ba4982c6356c1e1d1cfe
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI that directs the user to a URL designed to trick them into downloading a malicious file, likely an APK. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the presence of embedded URLs and the nature of the heuristic firings suggest an attempt to deliver a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/123?keyword=install+apk+nox+player
    • https://wegupufula.weebly.com/uploads/1/3/0/8/130813429/1880087.pdf
    • https://runebipunozup.weebly.com/uploads/1/3/1/4/131406604/judate.pdf
    • https://revibafejinaj.weebly.com/uploads/1/3/4/4/134485322/fb022655.pdf
    • https://cdn-cms.f-static.net/uploads/4365562/normal_5f8700a4495b8.pdf
    • https://cdn-cms.f-static.net/uploads/4374953/normal_5fa357d94c324.pdf
    • https://bitexaxa.weebly.com/uploads/1/3/4/4/134477172/a1e49ef133f095c.pdf
    • https://tanifovekula.weebly.com/uploads/1/3/1/3/131379991/bd7e256eef.pdf
    • https://derutibedevore.weebly.com/uploads/1/3/4/3/134354066/mapajela-kewelopafixuze.pdf
    • https://cdn-cms.f-static.net/uploads/4377414/normal_5f9a091f2f25f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3e1209f1-f5f5-41a4-8f0c-47d8e3a1127d/joxigewexomiwugek.pdf
    • https://uploads.strikinglycdn.com/files/a3783537-1c78-48eb-bfbb-13b64049952a/wudimirumuzupelib.pdf
    • https://uploads.strikinglycdn.com/files/874ea1c0-aeae-46b3-9234-be3f3759c92e/rabononejefilutoxax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c371.bin
05b352b18fc63a8fa281b54687eff36d6bc950962794a65f13656f2aca77b97b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC371 4984 bytes
font_01_sfnt_off0000d47e.bin
ca1f4ed6dfd03047a52699897f5c09bc662c21ae8c105c7f01039a87013b50f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD47E 10596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.