Malicious PDF — malware analysis report

Static analysis result for SHA-256 b07b9e8230037eac…

MALICIOUS

PDF

79.7 KB Created: 2021-03-29 21:28:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 32b5abf53cbd9a9d06bdf3247df31bdd SHA-1: c6187e90a2cea1436c3fafb63998febc8af81f42 SHA-256: b07b9e8230037eac7ff6f9b7916e7ba6bcc140597dcc696c902677ddd2ec88e4
76 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is a PDF document flagged by ML classifiers as malicious. It contains heuristics indicating it's a lure for remote support tools, instructing the user to install such software. The embedded URL points to a domain often associated with malicious downloads, and the document body, though partially corrupted, suggests a context related to software downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/123?utm_term=uc+browser+for+windows+10+pro
    • https://static.s123-cdn-static.com/uploads/4391909/normal_5ffc30bbd713b.pdf
    • https://cdn-cms.f-static.net/uploads/4467586/normal_602c0dec9de36.pdf
    • https://cdn-cms.f-static.net/uploads/4414176/normal_6052d65378589.pdf
    • https://static.s123-cdn-static.com/uploads/4376382/normal_5ff7f77d667ef.pdf
    • http://opensoda.pro/anydesk_free_windows_xp913aw.pdf
    • https://static.s123-cdn-static.com/uploads/4370088/normal_5fcea777b2b91.pdf
    • https://static.s123-cdn-static.com/uploads/4486344/normal_6000a886d8f28.pdf
    • https://cdn-cms.f-static.net/uploads/4426071/normal_600cedf7d4168.pdf
    • https://static.s123-cdn-static.com/uploads/4368996/normal_5fe3d7dee163f.pdf
    • http://circleshtang.xyz/toyota_verso_service_manualzuvxv.pdf
    • https://static.s123-cdn-static.com/uploads/4415740/normal_5fde45b668f58.pdf
    • https://static.s123-cdn-static.com/uploads/4476294/normal_5fcd7e3b55e3f.pdf
    • http://optarfes.com/349736901236rsli.pdf
    • http://bilet-pdd.site/anti_aircraft_missiles_for_saleb9kpy.pdf
    • http://technodom11.com/how_to_calculate_brine_solutionk7mgp.pdf
    • https://cdn-cms.f-static.net/uploads/4408997/normal_6009f00dc5955.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/b70c4714-bfd3-4ef5-aa6a-321ae5bfbdc3/how_to_set_pressure_on_resmed_s9_autoset.pdf
    • https://22fea36a-5e19-4af1-b4aa-fe6e1efe0ee9.filesusr.com/ugd/b5a188_ff04af8436a644e998f93b1b2ad8a21b.pdf?index=true
    • https://ed36ca5d-e6e9-4caf-8bbb-3a8af5cfee16.filesusr.com/ugd/971556_d0659924c91a4b578d79ba426ef3b9c5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/73ab08db-cb26-400f-937b-3edf3eebfa4b/70753880609.pdf
    • https://uploads.strikinglycdn.com/files/680501b7-57a9-480a-98c9-eab21b11b1b5/buderus_logamax_plus_gb142_parts_list.pdf
    • https://d3dd75b0-514a-4dbf-a1f7-973a5b421fb1.filesusr.com/ugd/5b46ec_0d93fda3f9d84635b569bd5221a64ced.pdf?index=true
    • https://3794eb9c-cc8b-492c-aecc-44533f76aaa6.filesusr.com/ugd/1ee69b_f28dac84033f47218217323932112b5c.pdf?index=true
    • https://081e7fb2-604d-424b-9b75-a58d54a71a44.filesusr.com/ugd/abd6ea_649da0f777cf482f98d47ecfad1d7939.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa5f.bin
017b2cb0f7dcf49ffd6a7911aee76faf0f3ac9cf152eb54b6e0c00f964a7afde		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA5F 5324 bytes
font_01_sfnt_off00010ca6.bin
a33255d266eff7c19e82261bd4e5c5a28213c4faedc6e7f9f35da2f695458db5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CA6 10520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.