Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0141d3b347cb531…

MALICIOUS

PDF

122.1 KB Created: 2021-03-06 22:54:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-20
MD5: 8965414ce5e84823ea7632a57f773917 SHA-1: 9a77c02079acfe2c425047a6be059b5e505141a7 SHA-256: c0141d3b347cb531da35582bf32c89f6e92ea61681a2d73921b30a10dd491418
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI that redirects to a suspicious domain, indicating a phishing attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were directly extracted, the PDF structure and embedded URI are typical of phishing lures designed to trick users into visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9661

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/strik?utm_term=a%2526p+story+john+updike PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4383128/normal_5fddbd5d418da.pdfIn PDF document text
    • http://marketitaly.info/defuse_the_bomb_3d_apkf1du3.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4387411/normal_60197478e6040.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4475715/normal_6021450e90f11.pdfIn PDF document text
    • http://sportplays.ru/tascam_dp_004_vs_dp_0067c69a.pdfIn PDF document text
    • https://fepaxumezo.weebly.com/uploads/1/3/4/3/134320712/7400663.pdfIn PDF document text
    • http://cashthe.ru/soxidabefilorakuziyflen.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416923/normal_60293930b5646.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4369508/normal_5fecf26b490fa.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4461770/normal_602edf1ce7d24.pdfIn PDF document text
    • https://dopotalufiru.weebly.com/uploads/1/3/4/6/134601398/5395915.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368500/normal_602f895007c59.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4412575/normal_5fcad69fb10df.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4425227/normal_6003cecb8d8c5.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.indictrans.orgIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://s3.amazonaws.com/matogapibelifiv/zojepufipuliwosij.pdfIn PDF document text
    • https://s3.amazonaws.com/wetowuzuxit/vavulajufupimij.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/156b8ad4-8de4-413a-b1b1-0a1559343b03/their_eyes_were_watching_god_chapter_15_quotes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d4be5352-8775-4850-b861-b1b674c22135/victory_toyota_service_center.pdfIn PDF document text
    • https://s3.amazonaws.com/miledu/discovery_school_super_league_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e68ee603-7163-4435-83a9-4489ddd1d281/7584621689.pdfIn PDF document text
    • https://s3.amazonaws.com/tugumeb/captain_hook_fishing_guide_service.pdfIn PDF document text
    • https://s3.amazonaws.com/tobobowu/absceso_axilar.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010939.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10939 7296 bytes
SHA-256: db39aa01c87c019e7d28af8385e85e0cc42e2a652d942efcec1f564201f31234
font_01_sfnt_off00011bd4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11BD4 2972 bytes
SHA-256: d9786549f5df5d6e718aef1c02eb2b997d01f35833f81d63a56796f2a090b547
font_02_sfnt_off00012652.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12652 4144 bytes
SHA-256: 342af526eadab6d280a6c9b5342a94db61f67a18ab89ad67ca4126a2bccef53b
font_03_sfnt_off00013435.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13435 6196 bytes
SHA-256: f3fa8a5f3dc49ff372f9d989da8af023778b34175736f7acafdc1f1f07595743
font_04_sfnt_off0001433b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1433B 3884 bytes
SHA-256: 2bd5eee788565a424da19eacedb187e2daa4ec679a522fd8d789cde010a901df
font_05_sfnt_off00014f62.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F62 3732 bytes
SHA-256: 3969ac3773bdd222cc3bf495d25cbc4dc72afdda0311f502aefa3ef7d7af407f
font_06_sfnt_off00015aa4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15AA4 1780 bytes
SHA-256: 0f408e917c785d510e7d7259f341e5af3a6d1d5f662e81e96fbbf3548d060f80
font_07_sfnt_off0001637d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1637D 26788 bytes
SHA-256: fd8a6033fc355b4d6d8f1cea222e6f84db9bedf6a784a0189e8371dfe007b3b2
font_08_sfnt_off0001a3ea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A3EA 16920 bytes
SHA-256: 76fdc8c64383bf6d8a8b1c349a47b201304e2b3e3319473b1a1e999a2cd9954a
font_09_sfnt_off0001bc6c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1BC6C 2448 bytes
SHA-256: 7aac5f0bed75da8bfde988609144189bcc2cda5cb2bc78fa1dba0d131793d268
font_10_sfnt_off0001c644.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C644 6360 bytes
SHA-256: fda5aa9833a17f5de0c95c61cf6bdcf5540b5c749b9630c4cfbbb94429f3af71