Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1869bb48af6b16c…

MALICIOUS

PDF

84.8 KB Created: 2021-03-14 15:00:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cfcbb58aa3e1a68915b719c616ddcfe1 SHA-1: 70c1d5e8c9fc17a39d12585db36b5547099d96b7 SHA-256: a1869bb48af6b16cb0e3d900c0f4ed36a5dfee8b566e2a5e3668415a007289c1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URI pointing to a suspicious domain, identified as malicious by ClamAV and an ML classifier. The document body, though heavily obfuscated, suggests a lure related to a game guide. The presence of external URIs indicates an attempt to redirect the user to a potentially malicious site for phishing or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=dragon+city+high+overlord+race+guide
    • http://idealica-ufficiale.site/gimapugobarosugadisudtk24.pdf
    • http://pifemukopisare.sportsontheweb.net/is_scorch_trials_on_amazon_prime.pdf
    • https://cdn-cms.f-static.net/uploads/4387816/normal_600fc795a5cd0.pdf
    • https://cdn-cms.f-static.net/uploads/4417049/normal_60434382c2582.pdf
    • http://betijeduw.getenjoyment.net/17425587465.pdf
    • http://xeratigike.medianewsonline.com/87191862922.pdf
    • https://cdn-cms.f-static.net/uploads/4480893/normal_603e91b37f436.pdf
    • http://xobilosusi.sportsontheweb.net/37136713158.pdf
    • http://pesuloduf.medianewsonline.com/vacuna_varicela_zoster.pdf
    • http://rivepozepuxar.mywebcommunity.org/20462978688.pdf
    • http://azakalaza5.xyz/frozen_script_short_versionv1urk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://edb7bb8d-792a-4213-93ec-7f573d37cc74.filesusr.com/ugd/bfd504_cd713a9bcaec4b31ae8855aedd041652.pdf?index=true
    • https://s3.amazonaws.com/vipuxafol/34692732551.pdf
    • https://s3.amazonaws.com/fomaralunex/21052987809.pdf
    • https://3b044092-e341-4c69-a8e2-52b14fc1865f.filesusr.com/ugd/370021_d85032a2801940b3802489d5f36c3661.pdf?index=true
    • http://jisijuvod.myartsonline.com/xuluvibutewuru.pdf
    • https://7f06b679-e14d-4525-8955-d56a7cf6f710.filesusr.com/ugd/79e5df_93b73d1e87b54d6e9b2ae1d306398ddd.pdf?index=true
    • https://s3.amazonaws.com/wovugi/attila_total_war_guide.pdf
    • http://wepogevadapafa.atwebpages.com/linux_command_prompt_cheat_sheet.pdf
    • https://856cb5e6-6c81-45ce-9604-b57907a15cd2.filesusr.com/ugd/cc3ca9_7dded9face9d4e1e9900eb916229007c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e993.bin
5a695b2a0c1c02f5df5837cf18b61e4029490cf7eb1c44eaedb462a19622ace8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE993 5184 bytes
font_01_sfnt_off0000fb41.bin
6539b129c5cd894636dc8f40f53a156c00c8f46378ab4f137c96d687a1cff6ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB41 3720 bytes
font_02_sfnt_off000106a4.bin
933dd15dd0c66ae8f36076b8632073d0832ebfddab6866fc9d7daeec8b826387		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106A4 11560 bytes
font_03_sfnt_off00012e4c.bin
33ed43e38cfb2b59389ccbf1423cb5d2f42620b2466364c3cc94fac89c5ff1fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E4C 6644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.