Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae592e39bd207b8d…

MALICIOUS

PDF

258.1 KB Created: 2021-03-31 15:09:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: 48258bf9912ec451758ba5a43b565f4e SHA-1: e742798c953182dbb11ee0619a6d61c2bdc08863 SHA-256: ae592e39bd207b8df3e8ed35c32ceddb5a072b905b37de99b152bcbaabc84b19
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. An embedded URI points to a suspicious domain, likely used for phishing or to host a malicious payload. The document body contains garbled text, suggesting it is not intended for direct user consumption but rather to obscure malicious content or exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9715

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leonvi.ru/strik?utm_term=change+the+subject+meaning PDF link annotation
    • http://carinsusa.info/spectrum_math_workbook_grade_8_free92cvz.pdfIn PDF document text
    • https://cdn.sqhk.co/xudadidi/rgcVgj0/magic_charm_word_meaning.pdfIn PDF document text
    • http://shoop-fg.ru/what_is_the_best_mini_fridgen9qyh.pdfIn PDF document text
    • https://cdn.sqhk.co/rinovizifim/dgdidfN/labuguxobudifexa.pdfIn PDF document text
    • https://cdn.sqhk.co/jibezilesu/h8w2iRf/mars_time_to_orbit_the_sun.pdfIn PDF document text
    • https://cdn.sqhk.co/razefudixid/AiblzSh/28837725687.pdfIn PDF document text
    • https://cdn.sqhk.co/nugutobudan/uVhb4ij/83448256361.pdfIn PDF document text
    • https://cdn.sqhk.co/xexemanidadu/JMxgihf/kitevibuxosiwotiwetelat.pdfIn PDF document text
    • http://vadosaj.getenjoyment.net/pekusa.pdfIn PDF document text
    • http://gudutisiluzew.mypressonline.com/online_education_system_project_report.pdfIn PDF document text
    • http://50offshop.pro/australian_culture_and_culture_shock_ielts_answersr1vun.pdfIn PDF document text
    • https://cdn.sqhk.co/nisikevepoxi/iejcgf7/rotowugelonivupepigedi.pdfIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://uploads.strikinglycdn.com/files/f05f7429-f6f6-41d9-a8b2-9f8447f8c9ad/gukamivakiju.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1c76f60a-1431-45f4-ab4d-515b4e81a3ed/aprender_verbos_en_ingles_para_nios.pdfIn PDF document text
    • http://dogiwexor.myartsonline.com/george_bridgman_libros.pdfIn PDF document text
    • http://nabafutig.myartsonline.com/ilmi_capsule_book.pdfIn PDF document text
    • http://gajopule.myartsonline.com/numeros_para_colorear_e_imprimir.pdfIn PDF document text
    • https://dda5c79a-a75d-44d9-a006-48dec3bfe172.filesusr.com/ugd/115d6e_8173e98848d44f3a83f6f3446497827c.pdf?index=trueIn PDF document text
    • https://e06e8306-d71e-4c92-aa1b-e8c52eeb44cb.filesusr.com/ugd/bc4951_292c477a1006457a9a3c95483e25a303.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/ccde6117-7f71-418f-872e-0eeafef8b970/kujolirexitaba.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off000320ba.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x320BA 14108 bytes
SHA-256: edda52072565fc85abce5f995f87d8ebfc2e559f79b97230d118b3f756e8f50c
stream_007_off0003a4cf.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3A4CF 33336 bytes
SHA-256: 9997bb0d2f133131f581d9daa401ac004391c6c24f11e042900d76a7439f114d
font_00_sfnt_off000240fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x240FC 66032 bytes
SHA-256: cfbfdfe75d79677bc1522790920a59b5f21786244e9cdd3e659bd5dc766ce078
font_01_sfnt_off00030f2f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x30F2F 5204 bytes
SHA-256: d1b57bd19a16532b018b078c7d405136d40a583587095072a6e70de05335d355
font_03_sfnt_off00034824.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x34824 38884 bytes
SHA-256: 7944a42eeb1058dda0a8df35303fbf2e0e4e0f1c358ce14c1a2067bf89e3af5e
font_05_sfnt_off0003de07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3DE07 8212 bytes
SHA-256: 19e09b762e548130d98fc0f82c39947495eab48a1b5b027a875cd6a9fb5bf770

Open this report in the interactive analyzer, or submit your own file for analysis.