Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1c89e4e60ca5588…

MALICIOUS

PDF

67.1 KB Created: 2020-12-14 03:42:16 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-26
MD5: 80b756fd1c31a12fa70870e214e772f4 SHA-1: 15c3f41f47d45bb16bbbaa5dcf60482b56a408c0 SHA-256: b1c89e4e60ca5588d2a215154bf0e2334f349ad4094c3dca1b15a8488651f101
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL pointing to a suspicious domain, identified by heuristics as an external URI and flagged by a machine learning classifier and ClamAV as malicious. The document body, though heavily obfuscated, contains text fragments related to 'Survivor 2020 winner' and authoring information, suggesting a lure to trick users into clicking the malicious link. No scripts were extracted, but the presence of the malicious URL is a strong indicator of phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?utm_term=survivor+2020+winner PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4388158/normal_5f9ff7693e6ef.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481173/normal_5fcdac7669e85.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366625/normal_5f9a6ca39632b.pdfIn PDF document text
    • https://kokexofagisukop.weebly.com/uploads/1/3/2/7/132710589/jisomokoline_sulebukagelur_xewakolino_wudime.pdfIn PDF document text
    • https://dagigokes.weebly.com/uploads/1/3/0/7/130739756/5e20c36439039.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/42981ffb-a0e0-475a-8d78-ddb5ad9d618f/kuzirumalaloke.pdfIn PDF document text
    • https://s3.amazonaws.com/suxiweke/a_practical_guide_to_free-energy_devices.pdfIn PDF document text
    • https://static1.squarespace.com/static/5fc52b71a87939686423f1f1/t/5fcd97f533187724c40be4cd/1607309301861/cross_stitch_thread_dmc.pdfIn PDF document text
    • https://s3.amazonaws.com/setigafat/strength_training_without_weights.pdfIn PDF document text
    • https://s3.amazonaws.com/midizaxopazeji/blue_prism_xml_vbo.pdfIn PDF document text
    • https://s3.amazonaws.com/rekawexuretowo/the_nut_job_full_movie_download_in_hindi_480p.pdfIn PDF document text
    • https://s3.amazonaws.com/mikibetiv/bilupugobezaz.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cb72a209-95dd-4c48-a205-41daa5b7c458/julius_caesar_character_traits.pdfIn PDF document text
    • https://s3.amazonaws.com/tiduro/sujito.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCB94 4788 bytes
SHA-256: 3945f0da378cd5ee420cca460d2c0614d625b13e49356a76e1dbc770fdc45a6c
font_01_sfnt_off0000dc05.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC05 10504 bytes
SHA-256: 83f317eefeab0ea64471e15304ef3f3ecd1f656ad866d3256e4067dc1d3510b9