Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa79004b0eb575a4…

MALICIOUS

PDF

165.2 KB Created: 2021-06-13 22:05:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-25
MD5: 87a7e3efe5cae6b09fd6a6c6e15fa8f1 SHA-1: 158b4ee050a403531a977cfbead95ffa27c4d4f2 SHA-256: aa79004b0eb575a40fd343e760edbed68ef0025acc5c47e96101dc9f628577e3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/pbw?utm_term=horror+movies+in+tamil+dubbed+full+movie PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4376625/normal_6038571cca7b4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495558/normal_5ff0cdc8b72e8.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4505771/normal_6000d31e613f9.pdfIn PDF document text
    • https://pakosikan.weebly.com/uploads/1/3/0/7/130740558/5ece9.pdfIn PDF document text
    • https://samomalekadoj.weebly.com/uploads/1/3/1/4/131438786/dowamezisufek-jozukoxuzu-nebed.pdfIn PDF document text
    • https://wutesubigu.weebly.com/uploads/1/3/4/8/134893167/5480446.pdfIn PDF document text
    • https://kadeborejegan.weebly.com/uploads/1/3/2/7/132740978/1582853.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4459341/normal_5fffb95931efb.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4378410/normal_60b4f1ae769fa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366645/normal_6017cdf292dee.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4480728/normal_601bfa67c7097.pdfIn PDF document text
    • https://guvoxokogavi.weebly.com/uploads/1/3/4/3/134374443/jujigapanelo_vuvulok.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4426696/normal_5fe1f65e898ea.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412778/normal_6023dc796a698.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4461763/normal_6008ffc86323e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4446275/normal_5ffa038ecc034.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4447089/normal_601fd9b655293.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e1f9e74e-0f80-42b0-9db4-7c379ad94edc/transition_words_for_essays_second_body_paragraph.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/362d4150-5525-4e8a-bd48-b963a3242988/simple_weekly_timesheet_template_excel.pdfIn PDF document text
    • http://kedetuwi.pbworks.com/f/athulitha_baladama_hanuman_chalisa_lyrics_telugu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db40610c-b6fe-47ae-9bda-15785e0af030/71824667601.pdfIn PDF document text
    • http://niwomif.pbworks.com/w/file/fetch/144427560/nofazale.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b414294d-f9d6-4d1b-b6f5-2db1cff4a16f/dell_optiplex_7010_motherboard_type.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00024af1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24AF1 5212 bytes
SHA-256: 382a38e8f71e99560c1e07481c6d6fdd19580fd3061546db08795bdd0fdaa468
font_01_sfnt_off00025c8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25C8D 12424 bytes
SHA-256: 0ca919ac6c5ba3f905ae97457432a006f272985b377d79fe6e588e8640c3850d