Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9b6e10853ba118a…

MALICIOUS

PDF

99.8 KB Created: 2021-04-05 09:12:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: b1698e5dc2cb842223474f2c7b1af79e SHA-1: 30474d84b5426adc3ebc38fccaf96bb3a3900629 SHA-256: b9b6e10853ba118a1278687579adf2a60b949f3e7e8699eae6438a64163edd38
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URL that points to a suspicious domain, identified as malicious by ClamAV and ML classifiers. The document body, though heavily obfuscated, suggests a lure related to 'carrom rules in marathi language pdf'. The presence of embedded URLs and the overall detection by multiple security tools indicate a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/award?keyword=carrom+rules+in+marathi+language+pdf PDF link annotation
    • https://cdn.sqhk.co/dubeminap/h2hgjbN/44161704271.pdfIn PDF document text
    • https://cdn.sqhk.co/lilaxikixo/FjeJhfG/metal_boy_dog_names_with_meaning.pdfIn PDF document text
    • https://cdn.sqhk.co/motuwezelu/ihibieG/goth_platform_shoes_uk.pdfIn PDF document text
    • https://cdn.sqhk.co/patagarinixa/biflkBP/drag_racing_modified_motorcycle_frames.pdfIn PDF document text
    • https://cdn.sqhk.co/mibajufaneja/jhjdigc/mazemobolutufaganizu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/e66c44f6-168a-4ab1-8926-7b1112891d80/45906278274.pdfIn PDF document text
    • https://s3.amazonaws.com/liguwubore/65389292765.pdfIn PDF document text
    • http://kakogajoxe.epizy.com/how_to_charge_hbs-730_headset.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3e2953c2-9163-4422-88a2-e40392512b8d/how_to_practice_python_for_beginners.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2bead840-ce2c-4ca5-b89f-0bf01304185b/3095303642.pdfIn PDF document text
    • https://s3.amazonaws.com/setikizo/85664154511.pdfIn PDF document text
    • http://sawopigemon.epizy.com/breast_cancer_diagnosis_guidelines.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ffa480f-9630-4997-9d0d-0ee4427bf97c/22188248405.pdfIn PDF document text
    • https://s3.amazonaws.com/tasufagijaremo/attendance_register_format_with_in_out_time.pdfIn PDF document text
    • http://xoxigibutu.epizy.com/13130748992.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b2401b32-3bbe-4d3a-9d70-43c6de82709f/casio_edifice_watches_price_in_philippines.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f4e4f652-2a65-49a0-a0e0-d2dff2aeb821/united_states_military_rank_structure.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b041980-3a32-41c5-87b0-a8707fb02bc8/best_hidden_picture_game_app.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/727c1a22-19f2-45b6-b369-1e683b7af32b/zomemomigux.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/68bfa905-c722-4013-ae8b-15ab99fd7cab/is_the_crossfire_series_a_movie.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/211b2cbc-1be4-46b2-ba3c-655da34fac0c/coleman_saluspa_inflatable_hot_tub_canada.pdfIn PDF document text
    • https://s3.amazonaws.com/pogolo/what_are_some_great_video_games_that_nobody_has_made_yet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c4074f65-dd8e-4b31-b6a9-75811fcb8b56/40994707741.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014b9b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14B9B 5360 bytes
SHA-256: 82bd49af2a7f54626a58287bdd2da8a08b342e920f1d92f09ab2edcb3a80856d
font_01_sfnt_off00015da7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15DA7 10372 bytes
SHA-256: b855cc9813913761e6dbbcb692fde0ed870febda4a1e1409719679fa05aefd9b