Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5f62270c2870049…

MALICIOUS

PDF

71.2 KB Created: 2021-06-11 03:31:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: b41e2a8cc74d3bd75858bfaa62ed466e SHA-1: 315de674728e01a4673dc0d165e003ad2828f5f2 SHA-256: b5f62270c287004918fc62784a2a823fb5c22f563e4d3a755655bd4bf9a7f366
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/pbw?utm_term=download+lie+with+me+full+movie PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4418000/normal_605591fe999c5.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4387235/normal_6000fc32d7fbc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366055/normal_60b9b13a65bd6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489601/normal_6049ecac425a5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501503/normal_600c3df395f78.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377095/normal_6019118bb55f2.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a39791c-f19c-4568-a1cb-d7432edf2d5f/how_old_to_work_at_ross.pdfIn PDF document text
    • http://zikasamu.pbworks.com/f/10661150162.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a8d629e2-86fa-4b37-91ce-a537907133f2/povilizuwusazu.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/83ff8663-b407-4ab4-84a0-2179ce3f5c2c/how_to_clean_ge_washer_dryer_combo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0ebd3081-e654-4ee4-9c9f-89c1222d28f3/54362401633.pdfIn PDF document text
    • http://foziwedugumu.pbworks.com/f/tubemate_youtube_downloader_app_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7338756b-768e-4e45-bb62-e7773bba68d9/kojijukorogigedom.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a37a363d-beb7-4780-9447-1546e358950c/meaning_alchemy_symbols_tattoo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f101451-df84-4398-8d07-b736ef59e63c/how_much_time_does_it_take_to_write_a_screenplay_script.pdfIn PDF document text
    • http://davusavesasi.pbworks.com/w/file/fetch/144793527/exercicios_de_regencia_verbal_com_gabarito.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/96a39977-5e1c-4152-aeca-fdbadbfd4884/89601290464.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2b6e42d3-c79b-4fa6-99c9-af25dfe1b04d/dorelovodiwokomo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e671b9ff-9976-4297-abfe-578b92a37639/how_to_setup_dell_active_pen_pn579x.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDB34 5024 bytes
SHA-256: 31d02b0b7bd5c6a34faaa0365a0f67d36a4f79d7dd21f77a3092b926813cca1b
font_01_sfnt_off0000ec48.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC48 10340 bytes
SHA-256: d79eda3e88066a72a1a368819a4dfe5e81e1a373695de861c2a03df275188631