Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4f3252578567387…

MALICIOUS

PDF

72.1 KB Created: 2020-11-19 00:13:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: 096d0ac5094f0641fb1779804896016f SHA-1: 8dc27a3f6cf83781050b22212992372e5521bedf SHA-256: b4f3252578567387e2c72484eeb58f56e5beb0c7059116bbea228bfc437af785
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URL that points to a suspicious domain. ClamAV and an ML classifier flagged this PDF as malicious, specifically as a phishing trojan. The presence of an external URI and the overall detection suggest an attempt to redirect the user to a malicious site for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?utm_term=superhero+golf+cart PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4424328/normal_5f9ad2520f26f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4418781/normal_5fade76c4461f.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/bb0df081-c4f2-4c64-8756-251a8e90171e/60692539149.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bb20d494-d5ac-4935-9e35-49b4a5b2f0e2/60590548009.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/25f4fbaf-08be-4726-89d3-fdcd508c58bf/mott_hall_high_school_calendar.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5d8d578b-6f91-4c23-8dc4-f513b2440831/migeluxarisofevarole.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f8e10959-3c7b-406e-b359-8cafc0cfe146/14119887015.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/de520f82-2213-4e5d-8718-bbe2061310a6/the_last_stand_union_city_unblocked_premium.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/82601413-bfc7-464b-b2f5-2f6dbf8fa288/53785061077.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/16d7929f-183c-47c5-84ef-a856371fbb58/modern_principles_of_microeconomics_4th.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f6f671c3-a9fc-43b3-b316-135482b9e75a/zirof.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ae99c5fa-4865-4066-8ef3-b9409c97d326/71898043439.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDDEE 5204 bytes
SHA-256: 4399380b865c0ee8ed8101f236d604b0114692bb29e34bd8129de631f55fde97
font_01_sfnt_off0000efa5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFA5 10768 bytes
SHA-256: 9bed314ce630e76498d23194fab82886cc324458954bf0d9f98dd5b574aa5004