Malicious PDF — malware analysis report

Static analysis result for SHA-256 a06e56f50b4d8e74…

MALICIOUS

PDF

82.5 KB Created: 2020-12-15 03:11:23 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 051218dd14fca9de5663357ee9c4b260 SHA-1: 90a4b79abfe4ef90417014500ae5fb97d7280dee SHA-256: a06e56f50b4d8e74ad1417e092efe1e9cadf927eb385af4298c8ff256961f30f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/strik?utm_term=dictionary+remove+multiple+keys+python PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/ac5c94e5-02d7-4c66-ba31-510e9e25f6a3/lexuzerasos.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/060b9693-4eb8-4fb4-be23-1da47ef0b3be/17518846350.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b3854666-9987-4218-ae50-ac4e941c2e2e/lakodadajotamit.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc517815687f52b6b9c42e9/t/5fd6b2fb5488895576b85007/1607906043861/us_open_tennis_2019_draw.pdfIn PDF document text
    • https://s3.amazonaws.com/nowonovege/6448416063.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/764d911f-b260-4d64-9932-b1d8e9940126/gamowofifumokivasateja.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc50a63c89e1c4b8fd938af/t/5fc56040e6d49a06bb473ff4/1606770752420/manual_de_mecanica_automotriz_gratis.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc2d442e9fc3622d52eb2cd/t/5fc4eb70fa04221c71ba0baf/1606740849037/samsung_bd-j5900_remote.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc79d8e382bec7399f87be1/t/5fcfc1422894ac7593ca9bb0/1607450946447/fun_words_that_begin_with_the_letter_f.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a77cc5f-bad9-44b5-85ee-d2141fa4ddeb/pigefiz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ac18093c-14c4-4814-8a18-3a820ecebf25/great_building_guide_forge_of_empire.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc65600f9866f3fd2f8cf86/t/5fcdc151920f47545bb3a064/1607319889256/doro_warrior_soul_lyrics.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc4cd95e9fc3622d53af778/t/5fcf45080496d067bdcf417e/1607419144670/moto_camera_apk_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a89f9ee-f915-4ced-81c7-6cfbc9cdd21a/phone_calling_app.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000102b6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x102B6 25028 bytes
SHA-256: 08763e388718c3397723e8843a93f93fbe71379d8c33fecd5accf67ec9120979
font_00_sfnt_off0000cb52.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCB52 5280 bytes
SHA-256: 1eab181858f890ba83d9dd1e2a84dbaccc8f9b2d161d72256202e069283453bc
font_01_sfnt_off0000dd1d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD1D 10940 bytes
SHA-256: 1d0e66853e36080a08184f8b7ab4cddf67d21053b053cec3ef2fcfc75c4b9b29
font_03_sfnt_off00012e90.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12E90 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c