Malicious PDF — malware analysis report

Static analysis result for SHA-256 acc2a5e113a2d7a4…

MALICIOUS

PDF

90.8 KB Created: 2021-03-29 01:38:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a9d4e87bc48bcdb648410640a73e8c23 SHA-1: 8ed7e8e8d103c74281ab597b5c0bc33b22f49130 SHA-256: acc2a5e113a2d7a4c76ef74716583eae09fb2a8c8fe58098f2a68c4090b67e2d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL points to a domain associated with malware distribution, specifically referencing 'minergate apk latest version', suggesting a lure for potentially unwanted software or a phishing attempt. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9905

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/wix?keyword=minergate+apk+latest+version
    • https://cdn.sqhk.co/zodozane/P3jdjfu/lunikuguruwukifurejaza.pdf
    • https://cdn.sqhk.co/dupabeket/jf1LKC9/platform_bed_plans_full.pdf
    • https://cdn.sqhk.co/tirinakiweda/NURhheG/assistant_executive_director_definition.pdf
    • http://jisijopimif.66ghz.com/inspector_general_s_report_2019.pdf
    • https://cdn.sqhk.co/xezalagefog/6higiZb/free_bootstrap_checkout_page_template.pdf
    • https://cdn.sqhk.co/sexuzoropa/gsiegjT/95263595957.pdf
    • http://zasoremejoka.iblogger.org/analise_fundamentalista_forex.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://povasapodojika.epizy.com/nukedekawusipuvuviladuzit.pdf
    • http://bupixifebinare.epizy.com/liloxafit.pdf
    • https://uploads.strikinglycdn.com/files/6bccb78b-8f96-495b-b61d-e76654a88b1b/gate_2016_ece_marks_vs_rank.pdf
    • https://uploads.strikinglycdn.com/files/63653230-448f-4f3d-8c47-05cec090ae65/purposes_of_law_in_society.pdf
    • https://uploads.strikinglycdn.com/files/0ebb3313-4148-434b-829e-c854779b62fd/a1c_compared_to_blood_sugar_chart.pdf
    • https://uploads.strikinglycdn.com/files/59e855f3-0505-410f-a50e-d14c2045b077/captivity_of_mary_rowlandson_summary.pdf
    • https://uploads.strikinglycdn.com/files/f5bf96ca-01dc-458f-be17-6057059b9964/neket.pdf
    • https://uploads.strikinglycdn.com/files/8dc41582-3c2c-47d6-a9cc-6a16496d1b53/esv_audio_bible_dramatized.pdf
    • https://s3.amazonaws.com/xeponodij/sheet_metal_bead_roller_dies.pdf
    • https://uploads.strikinglycdn.com/files/19b22e8b-a0e0-48f7-b2db-0a3faef75639/fiwuporutonafom.pdf
    • https://s3.amazonaws.com/guvovigo/37539939335.pdf
    • https://uploads.strikinglycdn.com/files/fdee654c-8ed2-445f-9fbf-58612ba1a6b3/kixur.pdf
    • http://viwukapatajomi.rf.gd/bar_bar_din_ye_aaye_remix.pdf
    • https://s3.amazonaws.com/vesubodufisi/88255366062.pdf
    • https://s3.amazonaws.com/zijivevip/69802311926.pdf
    • https://uploads.strikinglycdn.com/files/e146c5f5-3b2e-4379-bd71-1c5299b44ae0/how_old_does_a_dachshund_have_to_be_to_breed.pdf
    • https://uploads.strikinglycdn.com/files/05f50e85-357a-4364-8772-b280d6490436/41631088441.pdf
    • https://uploads.strikinglycdn.com/files/66cf2e62-03d0-4a4b-a53b-9d1348ec0539/59218577722.pdf
    • https://s3.amazonaws.com/suzujewa/south_america_rivers_map.pdf
    • https://uploads.strikinglycdn.com/files/a6fa069c-9c4a-45d4-8aa6-52315155531c/79807416087.pdf
    • https://uploads.strikinglycdn.com/files/2350fb3c-ebf8-4304-8c44-704ae7916642/hitchhikers_guide_to_the_galaxy_movie.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f1fe.bin
629123bfde0685c5f69bbdd27ec008bde0224d5c30af1dabb990f6ee33ea778e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF1FE 6440 bytes
font_01_sfnt_off000101f2.bin
033a03925a6b66c5d00f429a2d0d30ad9ce1d536815d8c0be00d614b79af8056		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101F2 5116 bytes
font_02_sfnt_off00011382.bin
f2070dbeeded4f9723bf2407838999f2feb9178dfb401584af0ef166511cd7e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11382 10696 bytes
font_03_sfnt_off0001386e.bin
354dce64f07f3d7acdf6a04edf763950ffbfec4edcbb4bfe17b65a83544077bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1386E 16036 bytes
font_04_sfnt_off00014d12.bin
efa28d4d6f970fe7611181c2d15a020f2df49775abfc4461c750cfa780c37718		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D12 3524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.