Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc5783865386476d…

MALICIOUS

PDF

103.5 KB Created: 2021-07-13 21:21:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25
MD5: a45ccd24bc22f8341a34140f9ecfade1 SHA-1: d33a785923934f4d094338d6ee5b66f9a0158eed SHA-256: bc5783865386476dd36c67640929f10fea45e0eb1e4a99cb499468c00ef961e6
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a signature indicating phishing and trojan activity. It contains an embedded URL pointing to 'chcial.ru', which is likely a phishing or malware distribution site. Although no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest an attempt to redirect the user to this external resource.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3066

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/square?utm_term=the+fastest+speed+a+human+can+run PDF link annotation
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ed90c639532c3941c27ce5/1626181830978/noriwuzibavazer.pdfIn PDF document text
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e91fffe6a58043b69197e8/1625890815331/incubation_period_of_aids.pdfIn PDF document text
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60e8cf59de3d741538b97028/1625870170032/perojuwugujozijunoze.pdfIn PDF document text
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e7ae26d0799e4214be1d7f/1625796134427/24754365393.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001185e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1185E 10692 bytes
SHA-256: f2bbeae984aafef84c220f2c76731ce45e21a1003e246d48b4ebdbaae59a0a4e
font_01_sfnt_off000130b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x130B3 16108 bytes
SHA-256: 9ea9197b6a75c7fe67a727ea228f5add925cef9a7182c4c37535d81b948c8910
font_02_sfnt_off000145e8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x145E8 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_03_sfnt_off00015dfa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15DFA 19272 bytes
SHA-256: 826b996cf8c900cc92d1cdd5539a566f457a161b65f2911e5843a4b8cda0958c