Malicious PDF — malware analysis report

Static analysis result for SHA-256 aff0d6550fa1935a…

MALICIOUS

PDF

139.4 KB Created: 2021-03-30 13:08:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 81ace112c4d43fb90afe93823b0ddec3 SHA-1: d84eaaca83d46933129aef3fe8f9a2543085109b SHA-256: aff0d6550fa1935acd16da482bfcb10086ced2b028247a70617a4ecc2af3418b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. An external URI pointing to 'https://maypoin.ru/wix?keyword=wrestling+observer+awards+2019+reddit' was extracted, suggesting the document's purpose is to redirect users to this potentially harmful site. The document body contains garbled text and metadata related to wkhtmltopdf, but the primary threat appears to be the embedded URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=wrestling+observer+awards+2019+reddit
    • http://erogan-columbia.site/vojafajepobeki7n3.pdf
    • http://wiinorama.space/5956153420wmzwl.pdf
    • https://cdn-cms.f-static.net/uploads/4444643/normal_6031e303c618d.pdf
    • https://cdn-cms.f-static.net/uploads/4376849/normal_602498f3b6e54.pdf
    • http://alcozerox.com/introduction_to_linguistics_columbiafjjd2.pdf
    • http://gnfcns.info/visual_bcd_editor_portablecjp2c.pdf
    • https://static.s123-cdn-static.com/uploads/4411512/normal_5ff290640de06.pdf
    • http://okrasote.info/11446094037hdwa2.pdf
    • https://cdn-cms.f-static.net/uploads/4423145/normal_6056a7e57ca37.pdf
    • https://static.s123-cdn-static.com/uploads/4484818/normal_5feb4f2973926.pdf
    • http://palitra-cveta.ru/apple_split_dateswlwks.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gimokoso.epizy.com/92011748076.pdf
    • https://uploads.strikinglycdn.com/files/ec63e0fd-f779-4e1e-9aa2-933af2bc9a32/suwitisufe.pdf
    • https://uploads.strikinglycdn.com/files/c8f3a404-b249-4ed5-9bd2-d5d12d6817be/69532558262.pdf
    • https://uploads.strikinglycdn.com/files/d6645a34-d9fd-40ad-84a0-d39cc45d1e85/what_does_lockout_mean_on_a_furnace.pdf
    • https://uploads.strikinglycdn.com/files/11c6aecd-4ea2-4b93-9a53-55765f8f5c4f/does_cbt_work_for_anxiety_reddit.pdf
    • http://jedebusarotatux.epizy.com/penilaian_dokumen_amdal.pdf
    • https://uploads.strikinglycdn.com/files/adccf459-fabe-4614-b77e-10d4dc77cc60/what_causes_eye_blood_clot.pdf
    • http://selitesavuweg.epizy.com/nufuwinu.pdf
    • https://uploads.strikinglycdn.com/files/fa7deb7c-bf38-4609-aa1e-5e202a98b5f6/52834011531.pdf
    • https://uploads.strikinglycdn.com/files/a8f1fa2c-b074-429d-b329-e57581c603ac/bissell_proheat_premier_2x.pdf
    • http://wajalapivibobi.epizy.com/sodogotakedeginalet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101b6.bin
e5dd13dd572670652436289ba5df5416822ac6251aa9d26cbdbf6843659476b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101B6 75984 bytes
font_01_sfnt_off0001e3fe.bin
acd5487143825f4654404cf7b5053f969858e279b247238d4cc128e140db5f90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E3FE 5780 bytes
font_02_sfnt_off0001f7d4.bin
19fd4bdf220f9b19baf032600d79cb5512687bd26f0211389f3a61a9da2c1136		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F7D4 10944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.