Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf0750d764cb37dd…

MALICIOUS

PDF

84.0 KB Created: 2021-04-04 12:38:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 238f45aeedde5402b656825647f29368 SHA-1: 2876930ea2359542501faf1f7401caac12ac5cf7 SHA-256: bf0750d764cb37dd221fe94c9a369748ba45bf2b73e4434f11d219ebe1128669
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL pointing to a resource that, based on the URL's query parameter, is likely a lure for 'Clash of Clans' game cheats. The presence of a visual download button further supports a phishing or social engineering attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=clash+of+clans+android+1+hack+apk
    • https://cdn.sqhk.co/kivipemo/hhjdhid/43068504625.pdf
    • http://domsale.xyz/ropejofekixazofapn10hn.pdf
    • https://cdn.sqhk.co/segenoliz/6iigeje/mitubosaxal.pdf
    • https://cdn.sqhk.co/wafepazi/Shd6gfk/zololabajuvosadirelozun.pdf
    • http://216tilford.com/ice_crusher_knifeajk6i.pdf
    • https://cdn.sqhk.co/fikalibumi/htOjbif/lagapivijofopeguxipeli.pdf
    • http://bodulotol.22web.org/the_design_and_analysis_of_spatial_data_structures.pdf
    • https://cdn.sqhk.co/mimesima/hhGieME/cartoon_hand_3d_model_free.pdf
    • https://cdn.sqhk.co/surikuzezun/mvnihjf/internet_manager_full_version_blogspot.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kuwubunaxube.rf.gd/jajorabitegavode.pdf
    • https://uploads.strikinglycdn.com/files/3bad4d5d-1279-4aea-ab90-a70ea8f5871a/logitech_mk520_vs_mk345.pdf
    • https://uploads.strikinglycdn.com/files/9a523558-2a46-4757-b78a-b2701bfb7642/serge_lang_linear_algebra_download.pdf
    • https://uploads.strikinglycdn.com/files/b41de11b-4950-4de9-9037-1c84705a8d7d/pegiraz.pdf
    • https://uploads.strikinglycdn.com/files/0e99f45d-11ed-4be9-b15a-83c5c479fb4b/muzasikunesutodu.pdf
    • http://lexifuborikaxu.rf.gd/how_to_tighten_aeron_chair.pdf
    • https://uploads.strikinglycdn.com/files/bad402d8-a995-48fa-bd10-c3128c213b34/74956551317.pdf
    • https://uploads.strikinglycdn.com/files/103e06df-b512-4029-875d-dd3694901d4e/sanuruwekiseli.pdf
    • https://uploads.strikinglycdn.com/files/4eafc23b-740b-494d-94ed-5676883add07/gozuwudiribixagubefe.pdf
    • http://defezanoluvu.rf.gd/graco_baby_monitor_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010276.bin
f5e96c7c299a8ee0c65267b79eb0b89643f0153ff70ab7e3c5e11d7e9d416479		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10276 5264 bytes
font_01_sfnt_off00011453.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11453 1800 bytes
font_02_sfnt_off00011ce0.bin
2bfb027679136a658b6a3f4ed8c8b5c1d74e5b3cab82261fe803529e7e632848		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CE0 11016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.