Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2e8985840ade257…

MALICIOUS

PDF

62.7 KB Created: 2021-03-29 04:33:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f0652af8c7c17bab434d6b6e58b4a6bd SHA-1: 2bbd9c83160498bb8c9aeef4fd8868cbc4dc18f5 SHA-256: b2e8985840ade25727e9947686482cbc619ce373f0cd04f8a35578d0a632ae83
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains a URL disguised as a search result for a book. The presence of external URIs and the ML classifier's high confidence score indicate malicious intent. The ClamAV detection further confirms this, identifying it as a phishing trojan. The document body, though heavily obfuscated, contains references to wkhtmltopdf and Qt, suggesting it was generated by a tool rather than being a legitimate document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9517

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/award?keyword=the+phantom+of+the+opera+oxford+bookworms+stage+1+pdf
    • http://sifulodidikit.22web.org/artifactory_latest_snapshot_curl.pdf
    • https://cdn-cms.f-static.net/uploads/4483833/normal_6029ae0c893bd.pdf
    • https://cdn-cms.f-static.net/uploads/4373768/normal_6054769291995.pdf
    • https://cdn-cms.f-static.net/uploads/4387408/normal_5fd622ee0e9bf.pdf
    • http://nesobaka9.xyz/how_old_is_klaus_baudelaire_nowdn97h.pdf
    • http://fuvufurewuf.iblogger.org/berufamuzevupukugaz.pdf
    • https://cdn.sqhk.co/zurefaxenov/jeIhdsy/34727593941.pdf
    • http://fb-copyright-help-from.com/pikekemivojmz1w.pdf
    • https://cdn-cms.f-static.net/uploads/4369764/normal_603a1c0b3388f.pdf
    • https://cdn.sqhk.co/bapuwanuvadi/shhxRzc/beat_the_buzzer_multiplication_game.pdf
    • https://cdn.sqhk.co/todusukiraxi/1hiRBij/bowling_central_2.pdf
    • https://cdn-cms.f-static.net/uploads/4483833/normal
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zuvemodu.rf.gd/dua_hizbul_bahr_download.pdf
    • http://lisodibediv.epizy.com/44284594652.pdf
    • http://kekabipiji.rf.gd/gonibowixalulorirepebax.pdf
    • https://s3.amazonaws.com/tidigudetefumof/12884326407.pdf
    • http://funizenobuwuka.epizy.com/88645240825.pdf
    • http://nusonakogip.epizy.com/peanut_butter_jelly_song.pdf
    • http://kubatejabudebuj.rf.gd/convert_file_in_word_document_for_free.pdf
    • https://s3.amazonaws.com/gazijewevan/tekuzakowuxi.pdf
    • https://s3.amazonaws.com/mesotodimus/navy_anti_terrorism_force_protection_manual.pdf
    • https://s3.amazonaws.com/bewibiwat/why_is_my_tv_not_connecting_to_internet.pdf
    • http://mufibozolo.epizy.com/homelite_chainsaw_repair_kit.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d208.bin
137757672f83909a6fb63f91e46eb819095d802c95e3734daea4ed764efdb0a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD208 5788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.