Malicious PDF — malware analysis report

Static analysis result for SHA-256 b90fed3b9669a898…

MALICIOUS

PDF

76.8 KB Created: 2021-04-06 19:42:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ab1d08bedc1f64933d7807edfe7ce637 SHA-1: eaf1aefbe37c32f37f54ee76138e7528f5ffaa77 SHA-256: b90fed3b9669a898293ac475f9958dcd0838d7e67baf19f04733da97155eda08
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The file is identified as malicious by a ClamAV detection and an ML classifier. It contains external URIs and references to 'powershell_script.pdf' and other PDF files, suggesting an attempt to download and execute a second-stage payload. The document body, though heavily obfuscated, contains a title related to 'how to tire flip', likely a lure to entice users to interact with the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=how+to+tire+flip
    • https://cdn-cms.f-static.net/uploads/4457582/normal_5fd67c47af27c.pdf
    • https://cdn-cms.f-static.net/uploads/4411229/normal_604a48e294f56.pdf
    • https://ruwevuvav.weebly.com/uploads/1/3/5/3/135387918/4269180.pdf
    • http://elerctum.org/transformers_2007_telugu_movie_download9v1d2.pdf
    • http://pipvip.ru/zagedepevosepafolodosamaxuyj3v.pdf
    • http://bluebadgeform.com/speed_queen_commercial_washer_hack_redditf29af.pdf
    • https://cdn-cms.f-static.net/uploads/4448976/normal_6022d88d28e7c.pdf
    • http://kalavar.xyz/vusevodowokaf3740k.pdf
    • http://reassurez-moi-fr.info/compass_point_west_hackiuz8h.pdf
    • https://zoguripan.weebly.com/uploads/1/3/1/0/131070442/7449650.pdf
    • https://feronokemafa.weebly.com/uploads/1/3/1/1/131164109/4559431.pdf
    • https://cdn-cms.f-static.net/uploads/4471992/normal_6019d1a943a7b.pdf
    • http://purpless.vip/pokemon_moon_move_tutormfe88.pdf
    • http://visionnew.xyz/tazevarisadupoxaladizueffge.pdf
    • http://odemebayisitrafik.com/raxewutipunu73yjq.pdf
    • http://7lessons.fun/how_to_wear_baby_front_facing_in_baby_bjorn5ar5b.pdf
    • https://zoguripan.weebly.com/uploads/1
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/c207fb72-098c-4fd1-a1d7-b86cd2efd59e/gutukumubelo.pdf
    • https://s3.amazonaws.com/lunojol/baxonarapomenegufosova.pdf
    • https://uploads.strikinglycdn.com/files/ea5eec23-8757-4b7d-a4dd-90541699c857/40838409927.pdf
    • https://s3.amazonaws.com/xapijifas/wilizukibisasorer.pdf
    • https://uploads.strikinglycdn.com/files/3c5e57c1-bad0-46c2-a452-e657b902da47/windows_10_startup_folder_powershell_script.pdf
    • https://uploads.strikinglycdn.com/files/35e4db5d-fccf-4944-8b26-dcdee0f94995/best_free_gps_app_for_iphone_2020.pdf
    • https://s3.amazonaws.com/kibavutibeved/27821057805.pdf
    • https://s3.amazonaws.com/sizabo/petsafe_wireless_fence_not_working.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efa8.bin
ed97ac5b351d4c5b34304a704e5dcc9db97f558e318be68589f5ac5e5669c875		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEFA8 4560 bytes
font_01_sfnt_off0000ff4a.bin
c4aa1fbf92229a913db84ce5c2f44580ee6ad74f672a04f2b4dd84e0062c457a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF4A 11400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.