Malicious PDF — malware analysis report

Static analysis result for SHA-256 b58bdea2354877a7…

MALICIOUS

PDF

88.1 KB Created: 2021-05-29 09:32:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 9f67f725a3a16af5a1cc5618dd8fd2ae SHA-1: 79603a5f2fa34b190f87bf2c42d8c030c372eccd SHA-256: b58bdea2354877a70b5d518ea694f7ab8890e4319a5b4a475f8b6a0b3fdd986c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a specific detection name indicating it's a phishing trojan. The embedded URL suggests a lure for users searching for academic content, likely leading to a phishing or malware download page. No scripts were extracted, but the PDF structure and URL indicate a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/strik?utm_term=libros+de+metodolog%25C3%25ADa+de+la+investigaci%25C3%25B3n+sampieri+pdf+2019 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4419452/normal_5fd85b1e7b3d4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412391/normal_5fd825e98de0b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413718/normal_605e071fb78a2.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446651/normal_60145f3bd5d54.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4462059/normal_603541af8c42e.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea37d819-fefd-42d8-945c-108fcd1d89a2/starting_strength_program_over_40.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/608fe68d-c18a-4a20-a9b7-7a0ac3bb4848/13903543450.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/693f614a-9064-4463-84c1-76a5a776060b/how_to_put_xfi_gateway_in_bridge_mode.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/13afba6a-f88a-47de-ae40-ff894e0b9ecb/20956956843.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/97813924-5c76-4962-96f1-7cdf6f73d112/rifegibosadipurobor.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/81f67a9c-db23-4ba0-b366-db4bf8eb4ef8/python_list_comprehension_if_not.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/22bc3225-d789-4d38-8f10-a47abeec594b/pupadixesedanixumenepu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db48a89d-2cea-45cf-af79-353fb4afe44a/dijesi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2247030-0b3f-48c2-aad1-34d5187c9c1e/allen_and_roth_swiftlock_laminate_flooring_reviews.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/074d484b-c1d3-4dba-b844-72ae031dfdde/oxford_house_sober_living_near_me.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/880b9dd0-a1fc-49c4-9b48-33eda68780ed/celtx_final_draft_screenwriting.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/60581dec-17c3-4f60-9b2b-e46c428c3b57/mogenamavibi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bdbef148-14e5-4cc8-8281-873d0730fa93/rozikaserekuzojajedojit.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/76507714-304b-43a1-bf52-5915bc771fdd/laserjet_p1102_ink_cartridges.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/18f0987c-7e56-4065-9d85-b8f34bbb8577/sekatewulamajanopulute.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2eb92602-c096-41df-a987-e99efb6e1d34/ryobi_10_table_saw_rip_fence.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1e8aa4f9-67a1-412d-86b3-f95b84814130/how_to_pair_hunter_fan_remote_99372.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7272a51a-770e-4868-9a29-3d48e90402fb/75562333131.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0721d4cb-0c43-4366-85d1-86dfba9fabb8/how_long_does_it_take_to_become_a_blue_badge_at_amazon.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6cb52dec-8cb4-47da-b896-a448e38dc302/dsc_1832_partition_programming.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/10343d56-a4fb-4b39-a6a0-6d5046e4d93a/wubiwadawuvexalokosogogum.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011079.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11079 6288 bytes
SHA-256: b09b87e8ca2cb3d65d2c506945bcf3f2d9b3d922fdb0e55edf9d9e9747254465
font_01_sfnt_off00012589.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12589 13304 bytes
SHA-256: 441ddc4a55b56dd9f9d899e50df4b488cfc304f6cec07e168a4408969ea26051