Malicious PDF — malware analysis report

Static analysis result for SHA-256 a835145754fe27b4…

MALICIOUS

PDF

76.5 KB Created: 2021-03-14 04:13:21 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-07
MD5: de7c5e2da3c9fde125016f6e630916f6 SHA-1: 0e7629d5696361543b0e3d7448cbf7d9b6d3844c SHA-256: a835145754fe27b411cb4fbb7f4e021d900b6e37714b39d547570198a25514ce
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. The document contains an embedded URL pointing to 'fokemale.ru', which is likely used to host phishing content or download further malicious payloads. No scripts were extracted, but the presence of the URL and the phishing detection strongly suggest a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/wix?keyword=antawn+moore+pender+high+school+football PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4387230/normal_601f01426b6ef.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4427282/normal_6022adefbd267.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4402262/normal_5ff5cdc8925d7.pdfIn PDF document text
    • http://rozel.ru/what_is_a_different_word_for_lethargicvr8ui.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475577/normal_602aab8fef68e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388289/normal_6016cc1d570eb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418985/normal_60355096175be.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4460471/normal_602b631841120.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4408997/normal_6047371c6e008.pdfIn PDF document text
    • http://pagebake.com/741944858985g55z.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4466154/normal_602f70289dc19.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4486548/normal_600fbe06e15c5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4444374/normal_601ce4577793d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4365541/normal_5ff25d0715c7d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4371013/normal_5fc99aa346555.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369336/normal_602ce5d5b7d63.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462362/normal_601de99dbb187.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/wuxupewu/digital_electronics_gates.pdfIn PDF document text
    • https://s3.amazonaws.com/tonemakopinibem/76374050101.pdfIn PDF document text
    • https://s3.amazonaws.com/muvevanepen/rabazebamumokiru.pdfIn PDF document text
    • https://s3.amazonaws.com/niporofez/automation_studio_6._3_crack_64_bit.pdfIn PDF document text
    • https://s3.amazonaws.com/medaliwifufugel/maluziwo.pdfIn PDF document text
    • https://s3.amazonaws.com/nijudow/motor_vehicle_accident_report_ontario.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebf9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBF9 5788 bytes
SHA-256: c4699053c9b81af3014499b27ead5a4a4ad1a26f256e1bd95ed382187a5e9aaf
font_01_sfnt_off0000ff9b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF9B 10812 bytes
SHA-256: dd866e975c24cb8c9f3477d18d4f0fbeb5956eb8432819b823ecfa0d04dead1b

Open this report in the interactive analyzer, or submit your own file for analysis.