Malicious PDF — malware analysis report

Static analysis result for SHA-256 a344c054f4aa8b77…

MALICIOUS

PDF

79.7 KB Created: 2021-04-27 04:25:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e1998a856cece0f0819844dccf6155ce SHA-1: bf70922ccd987868617660a211b25fc9ce562fc4 SHA-256: a344c054f4aa8b77375308be4cfee6757c1479e69141cdd9d4fc00789e578880
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. It contains an embedded URI pointing to 'https://jacksth.ru/strik', which is likely used to deliver a secondary payload or conduct phishing. The document body, though heavily obfuscated, suggests a lure related to biblical fasting, which is unusual and likely a deceptive tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=%25C2%25BFqu%25C3%25A9+es+el+ayuno+en+la+biblia
    • https://cdn-cms.f-static.net/uploads/4366045/normal_60126e03dd2df.pdf
    • https://static.s123-cdn-static.com/uploads/4419633/normal_5ff7ab3c371f2.pdf
    • https://cdn-cms.f-static.net/uploads/4526930/normal_60586cb7ac380.pdf
    • https://static.s123-cdn-static.com/uploads/4466413/normal_5fce3396491f4.pdf
    • https://cdn-cms.f-static.net/uploads/4470399/normal_605a0f668246a.pdf
    • http://zofapojofiwifi.iblogger.org/front_page_newspaper_template_google_docs.pdf
    • http://sefefiwa.22web.org/calculus_by_thomas_finney_10th_edition.pdf
    • https://static.s123-cdn-static.com/uploads/4408990/normal_5fdf8b3f7653a.pdf
    • https://static.s123-cdn-static.com/uploads/4499635/normal_5fedbfe392cc8.pdf
    • https://cdn-cms.f-static.net/uploads/4495264/normal_602a20b10fbcc.pdf
    • https://static.s123-cdn-static.com/uploads/4495860/normal_5feff9f14406b.pdf
    • https://static.s123-cdn-static.com/uploads/4412388/normal_5ffb4aa58eec0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a1d3e036-d9a1-4be1-9d2f-eedbb581cb22.filesusr.com/ugd/3ce946_efab135d2f8c4119a2a8cf30714f2d5f.pdf?index=true
    • https://s3.amazonaws.com/xajowu/marasovapirezevosafox.pdf
    • http://lanogiwelo.rf.gd/scissor_lift_design_calculations.pdf
    • https://s3.amazonaws.com/bizamesuwepe/87532995971.pdf
    • https://s3.amazonaws.com/pasawexawinogad/faa_h_8083_3a.pdf
    • https://167c2301-eccc-4e3a-a609-38a4f17b9bf8.filesusr.com/ugd/b1dabf_8782431a5f8f456b80c11eb95c1e0ade.pdf?index=true
    • https://bcd7deca-fd5d-492b-a220-d373ca515bc9.filesusr.com/ugd/12f4eb_dd7ecd1523244d67b3335a96e828d56b.pdf?index=true
    • https://1e16f6d7-285b-4488-bf07-d3e24ac90e20.filesusr.com/ugd/417718_35d95b5ac85c42bc9feceb3ea3b35d14.pdf?index=true
    • https://s3.amazonaws.com/xufujofaleki/wizofidujaxilawar.pdf
    • https://uploads.strikinglycdn.com/files/a6d76841-5ac9-4ea8-a0c0-2bd04dc2e0ef/sajuwifazenamabejidiku.pdf
    • https://uploads.strikinglycdn.com/files/e17abf1b-b24d-43f4-84cc-f36ad140a1ca/what_is_the_synonym_of_sleepy.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f72a.bin
62db645924a71b195ca33ed88911276836f4110a7868369cd9abd6eb871da1dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF72A 5132 bytes
font_01_sfnt_off0001087b.bin
f9ce1ed79736e202ae32652af158667ab1361e14d0718f71ee880d4372a0ade9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1087B 12084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.