Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac5a76bd8c69031f…

MALICIOUS

PDF

75.3 KB Created: 2021-03-19 07:35:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 821c4a76ef8a9e200db1bab7e92bb181 SHA-1: 18479370a0dd3bce8827279321973ced59116d2a SHA-256: ac5a76bd8c69031f733b80d65897b0ff6a658789b660730f4c8c970f94007469
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and a machine learning classifier, with a high risk score. It contains an embedded URL that leads to a suspicious domain, likely serving as a lure for users to download further malware. The PDF structure and content suggest a phishing attempt disguised as a document download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/award?keyword=agone+rpg+pdf+download
    • https://cdn-cms.f-static.net/uploads/4369505/normal_601650ab12bff.pdf
    • http://gejokakop.mygamesonline.org/410786759.pdf
    • https://cdn-cms.f-static.net/uploads/4426545/normal_604eaf3cce260.pdf
    • http://fobativ.mywebcommunity.org/lizovotofapimipon.pdf
    • https://cdn-cms.f-static.net/uploads/4376602/normal_60176f3a09783.pdf
    • https://cdn-cms.f-static.net/uploads/4370294/normal_5fdc6adbd05e6.pdf
    • https://static.s123-cdn-static.com/uploads/4481673/normal_5ffc4e4b4c8a9.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/sazixipame/english_grammar_basic_rules.pdf
    • https://s3.amazonaws.com/farefasejikap/kupajolifoxubosured.pdf
    • https://aed0ee3a-d217-4696-a563-de9ff15d6c37.filesusr.com/ugd/f80e3f_8295566f7fb9453b8c4df65ddc91ebe8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8f13c5b0-0cc2-4454-b467-5190fbf6613a/flowermate_v5.0s_pro_nz.pdf
    • https://uploads.strikinglycdn.com/files/275c00a8-52ac-44c8-afc5-ca62bcd04f18/american_red_cross_learning_center_password.pdf
    • https://ce83042b-5faf-46b5-bcbb-9b4d05ec7d33.filesusr.com/ugd/a31856_0201f07add164563a8cfac1a6935b1c0.pdf?index=true
    • https://09d56968-2ae9-412d-ad86-e67dc63a1c23.filesusr.com/ugd/e8b91f_51c264d5b8fe41809e79632e1dbcdd41.pdf?index=true
    • https://8f0c9b82-9570-4081-bbb7-5e23a534ea09.filesusr.com/ugd/7008f3_53971f4139df4f159899fc8dcc775089.pdf?index=true
    • http://supuwevul.atwebpages.com/internet_of_things_tutorialspoint.pdf
    • https://d89a15f7-21b5-45f0-b9b4-bc5b7be68842.filesusr.com/ugd/18e821_89fcb71cf3ca41d8bb5e120c7aebb82c.pdf?index=true
    • https://968bac2e-1409-45a7-bd11-2c37eba47390.filesusr.com/ugd/c81504_eda866fb816b40af9601a941eba480bb.pdf?index=true
    • https://17673d3b-e5d0-4e0e-8211-f079fadf35f5.filesusr.com/ugd/13ae68_5769affd1edc4658b10d9f00da6e6e11.pdf?index=true
    • https://s3.amazonaws.com/semuxemakaw/alternatives_to_whatsapp_for_android.pdf
    • https://s3.amazonaws.com/mipeboro/bounty_rush_apk_data.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8a7.bin
02f8b2480e086158f6994a43512a614921533d98d57cef593c90328cebc075af		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8A7 5112 bytes
font_01_sfnt_off0000fa36.bin
10c5cf705f7eb8c0dc7d73ed34eac206019b819ca7f6338555ea8f57cd1e1870		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA36 10968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.