Malicious PDF — malware analysis report

Static analysis result for SHA-256 a09d8c5260ad75ca…

MALICIOUS

PDF

83.3 KB Created: 2021-04-07 07:11:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 790c248e8b3848e14f9d6482af5fbc86 SHA-1: 9162c21be9cd6c05ac1be6905b2d0a4d092ab828 SHA-256: a09d8c5260ad75ca2e79e935b3882411b5390acb5a1c2dd8c550a06b2b98c57b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with heuristics indicating the presence of external URIs. The embedded URLs and the document body, despite being heavily obfuscated, suggest a lure to a malicious website. The primary technique observed is the use of embedded URLs to redirect users, likely for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/award?keyword=important+days+pdf+in+english+2020
    • https://cdn.sqhk.co/loziromegon/cyhbfTV/org_2021_vip_apk_download.pdf
    • https://cdn.sqhk.co/poxedomeke/hfVihwP/punikuzisaxobuzulizet.pdf
    • http://pojekofa.iblogger.org/tejuzu.pdf
    • https://cdn.sqhk.co/zasokolof/iaOeZjb/11571416510.pdf
    • https://cdn.sqhk.co/ritasuxa/S2hhgep/old_newspaper_template.pdf
    • https://cdn.sqhk.co/bomunerafoju/dijjdcf/fisikav.pdf
    • https://cdn.sqhk.co/wifavizen/q4nigii/skateboard_3d_hacked.pdf
    • https://cdn.sqhk.co/mudifuto/YXK5hgv/pebedujux.pdf
    • https://cdn.sqhk.co/rexukewanej/ezjdU83/bike_racing_3d_online_play_free.pdf
    • https://cdn.sqhk.co/kivutuzo/iNohhpE/99392867568.pdf
    • https://cdn-cms.f-static.net/uploads/4453098/normal_604e19628439b.pdf
    • https://cdn-cms.f-static.net/uploads/4476142/normal_6025c18541ba9.pdf
    • https://cdn.sqhk.co/fewoxenovof/ljhOXTo/gheymat_bazar_khodrop.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vuxalirudidel/alternator_generator.pdf
    • https://s3.amazonaws.com/gezetega/bluetooth_headphones_driver_windows_10.pdf
    • http://zomefol.epizy.com/sogulaj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010766.bin
415b5141d5a783d44052ea601f2cd1bce1000e32b0867255345de7be9fe08246		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10766 5768 bytes
font_01_sfnt_off00011ae1.bin
faf01c2e28b9292847c0137441d7f331e63956dadd7aecd367df84b8801777ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AE1 11184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.