Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae60de4887c4f335…

MALICIOUS

PDF

76.0 KB Created: 2021-05-22 12:54:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: 85b09e43a6d6f7f00131ac30de941da2 SHA-1: de65418b4c109b273c09aadfa05378ae91959068 SHA-256: ae60de4887c4f33571303d7f684d511f6bbecfeaf0e2266a0c78aa723512a9d0
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF file flagged by ClamAV as a phishing trojan. Heuristics indicate it is an MFA/one-time-code harvesting lure, consistent with credential phishing. The embedded URL https://jumiwimov.ru/strik?utm_term=iphone+activation+lock+removal+free+online likely leads to the phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/strik?utm_term=iphone+activation+lock+removal+free+online PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4465394/normal_6008c79679d04.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4487632/normal_601fd84dc9c0c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379970/normal_602e32e991f14.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371261/normal_6028a83200f06.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4415326/normal_60182e2d384b4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4451225/normal_60571774b5827.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4371020/normal_5fe28806356bb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4465133/normal_5fd93b0f9915d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4376878/normal_5fe5c6ac6e76c.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4428342/normal_6003273f0658c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379732/normal_60374a5db77ec.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4474449/normal_60387886edb41.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/baacfd03-b971-4d4c-b985-8690504a8324/84172568461.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/33fe2546-5ff7-41de-a39d-f618024053cc/gosuwotivupe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9915e1ea-b16e-4607-97d4-63bf45931491/mafegefusupidugidofodizup.pdfIn PDF document text
    • https://s3.amazonaws.com/taguxif/equity_asset_valuation_4th_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5100e1ce-ebcd-455a-96fd-1c86bf09c55b/advanced_microeconomics_varian.pdfIn PDF document text
    • https://s3.amazonaws.com/legipalofi/does_mary_die_in_godfather_3.pdfIn PDF document text
    • https://s3.amazonaws.com/dugibabafod/capitalismo_informacional_resumo.pdfIn PDF document text
    • https://s3.amazonaws.com/fomudebipefasu/forest_watcher_answer_key_link.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/374c7ffa-1093-43f4-9041-06c982503e01/what_accent_do_i_have_british.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/94432794-f8ed-4113-a923-62d92da0f9dc/renawajalagenevetedigopi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ebed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEBED 5140 bytes
SHA-256: 7633dc60e31e2c414622dcfae53eeace48e7791c7eb00f3e0a4db89359699a06
font_01_sfnt_off0000fd4c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD4C 10744 bytes
SHA-256: dc8341614e5bda3eb7d8df95d3764a9a8e466c9c0842bc768eddcf754a25bad4

Open this report in the interactive analyzer, or submit your own file for analysis.