Malicious PDF — malware analysis report

Static analysis result for SHA-256 b22a1d1d516ceed6…

MALICIOUS

PDF

128.8 KB Created: 2021-03-20 20:42:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1782f195a58a5befb79528ab9f55afef SHA-1: 3d24eb9323f120d352f9bbf7341333a9af1a8ed5 SHA-256: b22a1d1d516ceed62719dcea296935b859b971116f2e07bca813857ae5a713e5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to host malicious content or facilitate phishing. The document body, though heavily obfuscated, suggests a lure related to a "Shark tale color script", indicating a social engineering attempt to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/wix?keyword=shark+tale+color+script
    • http://trening-ekaterinodar.ru/65228599035j2cd3.pdf
    • https://cdn-cms.f-static.net/uploads/4365660/normal_603b2e11ef9ca.pdf
    • https://static.s123-cdn-static.com/uploads/4424672/normal_5fcbd42f1cad0.pdf
    • https://cdn-cms.f-static.net/uploads/4410018/normal_603b24e3cc966.pdf
    • https://cdn.sqhk.co/zejizoguzut/hjsdiiQ/xewewusularuwoxixoxe.pdf
    • https://cdn-cms.f-static.net/uploads/4427091/normal_6014c270da4f6.pdf
    • https://cdn.sqhk.co/kunimoxifagi/iggZX8u/planet_destruction_wallpaper.pdf
    • http://opros.xyz/autel_code_reader_updatev1ple.pdf
    • https://cdn.sqhk.co/fofotixoz/hhjf3he/switch_pro_controller_black_friday_walmart.pdf
    • http://1xbet-football.fun/zesarisubisibalubacz4ch.pdf
    • http://idealica-columbia.site/king_lear_act_1_scene_2_edmunds_soliloquy_analysishbhoh.pdf
    • https://cdn.sqhk.co/mutexeze/ibAXjcC/space_runaway_ideon_characters.pdf
    • https://cdn.sqhk.co/rujiwujik/iM3ibfO/off_road_4x4_jeep_racing_3d_apk.pdf
    • https://cdn-cms.f-static.net/uploads/4447460/normal_602d73712f235.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8db2bb6a-b1ee-456f-a49c-d4c71cec0f16/99916541778.pdf
    • https://8c17aa34-c454-4d6c-a218-8929c845e329.filesusr.com/ugd/808cd0_9202196e5d0445b4bcc3dec9947f4b65.pdf?index=true
    • https://e028ba52-6c86-493e-86b7-fecf7cd1c3eb.filesusr.com/ugd/bcb9fd_0ea1e7c587574485ae9934ed9887d582.pdf?index=true
    • https://b32521b7-32ca-447e-9967-d27d0dce683d.filesusr.com/ugd/800b88_e89a086900b14d87bbea0a91d524d4e9.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a0fccc34-058c-4571-be51-287638c21065/stihl_ms180_chain_tensioner_replacement.pdf
    • https://s3.amazonaws.com/lumixi/rivejegowero.pdf
    • https://uploads.strikinglycdn.com/files/9592ad0e-669b-4c9d-80b0-301e7ae9c153/61628688911.pdf
    • https://s3.amazonaws.com/mupukesunobaga/flaneur_sheets_australia.pdf
    • https://uploads.strikinglycdn.com/files/4e5a80ed-9555-4b1e-918a-4f2231b47aee/danby_4.4_mini_fridge_outdoor.pdf
    • https://204833c8-abda-4421-8777-5048ee7dd919.filesusr.com/ugd/e30b7a_a3069c20bdf849b2bed8438f96ed6f7e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d6485872-0459-473b-8b9d-f67e62472f27/nigonudujik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001befd.bin
ae47b04cd1ee37dc5395b3a9a6e35b4c70716807eec35edbd1bd50666d342983		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BEFD 5188 bytes
font_01_sfnt_off0001d09e.bin
d9d5ac3e3946f4440abf669ae46903dc403340444b383641c314bf38b586f322		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D09E 10872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.