Malicious PDF — malware analysis report

Static analysis result for SHA-256 aebbabab1cbf7ff1…

MALICIOUS

PDF

155.0 KB Created: 2021-03-13 17:34:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: a6d51afcb6e7c904f1c6582eee986752 SHA-1: ab9313919da33389c004c236fd1a84cd354f8acb SHA-256: aebbabab1cbf7ff16a8aa6818f33936311ca7e14f139bf45826730cc95324e74
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9947

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/aws?utm_term=kung+fu+hustle+landlady+and+husband PDF link annotation
    • http://grantmedica.ru/kitty_kate_cooking_restaurantsar7ge.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410702/normal_5fd13fb57a9ee.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4403937/normal_5fce65ba448e1.pdfIn PDF document text
    • http://remontlegko.info/bapiribowure4b0mb.pdfIn PDF document text
    • http://serviceforyou.site/39050732071o208v.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://e86c6366-0652-46cb-9e1f-5633a133dba9.filesusr.com/ugd/510a18_3ce041f2b95a4338a56e697510525a58.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/3d267787-52da-4e6c-9f26-6b552fd18536/94882030786.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bf22fc9f-fdf5-45f6-adf4-d1e2d961272f/vizio_e400i-b2_manual.pdfIn PDF document text
    • https://e0529b0e-ffd4-46ae-8a9e-348c3aa8e3ae.filesusr.com/ugd/27320f_0f68326f7ccc4b4d9fea1620950be365.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/sinadi/54188264106.pdfIn PDF document text
    • https://s3.amazonaws.com/bejeseja/76460537029.pdfIn PDF document text
    • https://s3.amazonaws.com/jawusawar/free_monthly_employee_schedule_template.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8d1a06d4-c0a6-45d6-909e-7f00ee3be77c/sakodozifogavagubepiwo.pdfIn PDF document text
    • https://s3.amazonaws.com/baxegezivumi/possessive_and_demonstrative_pronouns_worksheets.pdfIn PDF document text
    • https://s3.amazonaws.com/damerirazib/iras_gst_guide_for_property_developer.pdfIn PDF document text
    • https://s3.amazonaws.com/vapelurowar/annie_2014_songs.pdfIn PDF document text
    • https://113c517c-d7b0-4b36-99d7-6722bcb7ef36.filesusr.com/ugd/8e66a5_3dfe641d6be747718a8eb8377efb6e10.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/3684ed43-2005-4559-8960-0fb10ea98c6e/kenmore_elite_steam_dryer_not_heating.pdfIn PDF document text
    • https://299bc67c-4c9a-44ea-852c-18f2d39dca40.filesusr.com/ugd/954c8b_760fee0bb93b41ba8f7dfe0d672ce706.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/napejaxosinages/how_to_use_brother_xl_2600_sewing_machine.pdfIn PDF document text
    • https://5b0e1d79-1acc-45ba-a965-31015372eee8.filesusr.com/ugd/67f5f7_397e9870cb5547229e26730498a79841.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/65af60be-ea48-4219-8dde-e0bd4d7025f1/kitchenaid_superba_oven_model_number_location.pdfIn PDF document text
    • https://s3.amazonaws.com/vuxagixil/nakebutopas.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018870.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18870 43208 bytes
SHA-256: 227f889198ea1fd5e0e7bb7036d2eac975caee1b2e5fe3037b3aa12dfb63511a
font_01_sfnt_off00020cc9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x20CC9 5284 bytes
SHA-256: 93a0a56d964999695765f72f35918b05fd6cd4e22c97d976208c1f57ae62beac
font_02_sfnt_off00021ed9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21ED9 12796 bytes
SHA-256: 5006a844e43b95dfc82c3eaa8e25b649bd5436861abc2c0580d8e8d77183f104
font_03_sfnt_off00024801.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24801 16060 bytes
SHA-256: 660d05b38fea380e8cc13f4a5a7db764e9bd2a20a73145a73af50c118749f22b