Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ca7b93d708322a8…

MALICIOUS

PDF

86.8 KB Created: 2021-03-25 13:31:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dfb3fe31908a9e7b2ab2f5ef49fb4518 SHA-1: 6821903e8631cb6df31a1018e48ff1dfddfbabf7 SHA-256: 9ca7b93d708322a8364bfb3b70810b6c727a753c3a6704b211b00cce5daecef4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that directs users to a suspicious domain, likely for phishing or malware distribution. ClamAV detection and ML classification strongly indicate malicious intent. The document body, though heavily obfuscated, contains text related to 'Dragon Ball Z Final Stand Wiki Rebirth' and wkhtmltopdf, suggesting a lure to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=dragon+ball+z+final+stand+wiki+rebirth
    • https://cdn.sqhk.co/jawuraxexije/jhhcpCB/42589558193.pdf
    • https://cdn.sqhk.co/zenetofuma/aoQgdqL/gumuxuwotana.pdf
    • http://jemulobapamiwu.mywebcommunity.org/open_in_paintshop_pro.pdf
    • https://cdn.sqhk.co/kolokejo/dhfEQif/51714643044.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://pikejip.rf.gd/suxofixawu.pdf
    • https://uploads.strikinglycdn.com/files/dfc0c9ff-ee19-4dc5-b1d5-e0646293d130/does_extended_warranty_cover_air_conditioner.pdf
    • http://dilutibu.onlinewebshop.net/notorixaref.pdf
    • http://javasuk.epizy.com/admission_form_meaning_in_marathi.pdf
    • https://15319a82-8c66-4906-b3c2-464277991f2b.filesusr.com/ugd/070acf_da01eb9d982d486c96635caf2a2ef892.pdf?index=true
    • http://naxeselixifepem.rf.gd/64194128027.pdf
    • https://2a984544-7cb8-4a4d-9f60-e686f7994e39.filesusr.com/ugd/1434d3_cc04f7626edd4db4b5ad8cd16ee90708.pdf?index=true
    • https://6b137298-3864-41c5-aaa3-11744000c3c2.filesusr.com/ugd/b916f4_8cb2db057783405a892e1162f1bec553.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1364e174-da88-494d-81f6-d7665c51df2e/pajaniba.pdf
    • https://a179b4bb-f9e1-4b0b-8685-f881d2afde68.filesusr.com/ugd/0fdb6d_f43847325ac34d60ac8b4b8362c1674a.pdf?index=true
    • http://jafajikizogid.epizy.com/complete_palmistry_book.pdf
    • http://kitalanexu.epizy.com/82686173021.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3b8.bin
29b259eaf349ac61a23541eb564545655ce7d79f48e7231f4678e23a0c983a44		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3B8 2940 bytes
font_01_sfnt_off0000ee37.bin
1a7e81ee321642db57213f959418cec74a387c03300101f951254d9d3c126eaa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE37 5516 bytes
font_02_sfnt_off000100d1.bin
0f5c0efe4ccad7a3042cb2f954a21695c88ac0a69202bea05a82717ed60afa37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100D1 2864 bytes
font_03_sfnt_off00010b9f.bin
2ce5e355949601319578e9bae14f0c0f5180627f324d865c598e49bbd412b23d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B9F 13836 bytes
font_04_sfnt_off00013773.bin
0b8a502846124bbd36130e934e36c5204d741fa661430ecebba6fc4bc7a6f82e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13773 16144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.