Malicious PDF — malware analysis report

Static analysis result for SHA-256 b43c31096c051b39…

MALICIOUS

PDF

335.1 KB Created: 2021-03-15 22:27:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-10
MD5: 6d8458adfae9320a32b5406818cea2c9 SHA-1: 085c57ba3447a59aa8b95ce6e975b69389671332 SHA-256: b43c31096c051b390c7f06232f6e95a30256593980c9c40bf3814beb0849de3a
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript and a high-confidence ML classification indicating maliciousness. It also features a URL that, when combined with the document's apparent theme of an 'Audi dealer locator', suggests a phishing or credential harvesting attempt. The presence of embedded JavaScript indicates an attempt to execute malicious code within the user's browser or PDF reader.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/wix?keyword=audi+dealer+locator+belgium PDF link annotation
    • https://nurufumetexode.weebly.com/uploads/1/3/5/3/135323779/mudumelabisuta-toraxamimod-xugadenufuvuwiw.pdfIn PDF document text
    • http://alcexpress3.xyz/nutritional_medicine7hjzp.pdfIn PDF document text
    • https://widuboxizivibib.weebly.com/uploads/1/3/4/3/134315701/662f205.pdfIn PDF document text
    • http://telgrm.site/zepiv2otjb.pdfIn PDF document text
    • http://idealslimitaly.site/zatad35rgu.pdfIn PDF document text
    • https://bibixofepo.weebly.com/uploads/1/3/4/2/134235383/veviteviboxurar-risela-wulepidiniwa.pdfIn PDF document text
    • https://wolegowagu.weebly.com/uploads/1/3/4/4/134404953/aa0af4324ea7.pdfIn PDF document text
    • http://familyit.pro/bollywood_hd_video_song_pagalworld._com_2017x8zmz.pdfIn PDF document text
    • http://blockingscenery.com/can_you_convert_a_weber_genesis_natural_gas_grill_to_propanehdtue.pdfIn PDF document text
    • https://jeduwenerapowi.weebly.com/uploads/1/3/4/6/134678879/lunipelesuxewag-xumogorawum-vifelaz-zuwoxalosug.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/muvevanepen/943884720.pdfIn PDF document text
    • https://8650d040-a33d-467d-a608-6706f181f11b.filesusr.com/ugd/61b8bf_cfe9f1f5fdef4affa6dc806e812429a1.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mefonevimimix/employee_attitude_definition.pdfIn PDF document text
    • https://s3.amazonaws.com/wizakokowe/tefizeporizanevalusidita.pdfIn PDF document text
    • https://77bac38d-831a-46d6-8f22-d7743fcadc58.filesusr.com/ugd/5b9a87_3fc01d903e96432da48f195a2dc41f12.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/marimejerebo/173410600.pdfIn PDF document text
    • https://45b0b119-5f8c-43e7-b437-4e12d17c1c81.filesusr.com/ugd/3826db_884ceb7cee0a42169417e68e0a052432.pdf?index=trueIn PDF document text
    • https://b5b764bc-4fc6-48d7-9a4b-423a4d05f225.filesusr.com/ugd/3f2390_8c1a76f3d54c4dc9b321ede04f0fd94b.pdf?index=trueIn PDF document text
    • https://1a441fb4-51dd-4528-a053-eb59ff664e18.filesusr.com/ugd/43d9d5_21947fd2ad7c4feabbc36181d14c95e5.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/loxopudizus/57299317879.pdfIn PDF document text
    • https://68f2566a-c586-4d15-a5d1-3a72044c38f3.filesusr.com/ugd/ecec20_5146491b203b41dea7c8c2deff34d647.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/megodipewukitoj/midaguwizuwupawibalamanev.pdfIn PDF document text
    • https://s3.amazonaws.com/bevekizadoxuj/an_introduction_to_lng_bunkering.pdfIn PDF document text
    • https://s3.amazonaws.com/vatosolikijike/october_blank_calendar_template.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017724.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17724 305028 bytes
SHA-256: ec1069122ea89e2a2a097470adeb1f78a7303281c039cd11f31637e03027dee2
font_01_sfnt_off0004f310.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4F310 5212 bytes
SHA-256: 965e48cf5b8a779d0ebafd3aba6aa767838eb98ce8b348adcc0807b61e5d0954
font_02_sfnt_off000504b2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x504B2 11660 bytes
SHA-256: 393b5079d8096c7fd71a976322f7da5817c93690aa1bafbb909e9889c7bb319b