Malicious PDF — malware analysis report

Static analysis result for SHA-256 c222f7d010e9c136…

MALICIOUS

PDF

72.3 KB Created: 2021-04-27 05:13:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc1d7dad792997fb7cde76b10bad65c1 SHA-1: 5374dae32fc11ff72e74ce8dfbab633108710e5b SHA-256: c222f7d010e9c136d5c9a4115129cab902f2354beb1a193eae75de75f9de80d9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URL that points to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF with a high probability of being malicious. The embedded URL likely serves as a lure to download a malicious payload or redirect the user to a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=humanities+through+the+arts+9th+edition+pdf
    • https://cdn-cms.f-static.net/uploads/4417319/normal_606b134f6ce37.pdf
    • https://cdn.sqhk.co/lajawawinu/hl7jgcq/sleep_sounds_by_sleep_jar.pdf
    • https://static.s123-cdn-static.com/uploads/4476427/normal_5fc5bd1ce731e.pdf
    • https://cdn-cms.f-static.net/uploads/4370265/normal_606932008ba29.pdf
    • https://cdn.sqhk.co/kivipemo/hhjdhid/43068504625.pdf
    • https://cdn-cms.f-static.net/uploads/4413982/normal_601b5f3801049.pdf
    • https://cdn.sqhk.co/motuwezelu/jeiiFjh/the_silent_age_2_walkthrough.pdf
    • https://cdn-cms.f-static.net/uploads/4484993/normal_605420df1ea53.pdf
    • https://cdn.sqhk.co/vanewano/4ifAihP/bomber_bomb_defuse_game_jackbox.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tabobujimo/79450420079.pdf
    • https://uploads.strikinglycdn.com/files/f7397d79-e17e-4c31-a175-b78ac982b1fd/71686377321.pdf
    • https://uploads.strikinglycdn.com/files/9376f509-7511-491a-89a3-83e34464ffb4/average_salary_of_engineer_in_michigan.pdf
    • https://s3.amazonaws.com/dinigugaxej/trade_like_a_stock_market_wizards_book_review.pdf
    • https://s3.amazonaws.com/fasudikek/liduzapolajuwef.pdf
    • https://a24bc4ef-4ee2-4fae-af0c-c9fea810b245.filesusr.com/ugd/67d96c_55d185327b554412a6547afbfa8d471b.pdf?index=true
    • https://s3.amazonaws.com/muwemivumazulax/safety_marine_services_sharjah_careers.pdf
    • https://uploads.strikinglycdn.com/files/494b2f34-d672-4863-b4a5-dbbd1234bc96/flight_behavior_quotes.pdf
    • http://biwodonugawodil.rf.gd/how_much_do_cyber_security_jobs_pay.pdf
    • https://43081b45-6e48-4b43-b724-9328fda377ae.filesusr.com/ugd/26481d_05c3029c260b445dbc4c1bce8a3fe1bc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1a50211e-f8d5-4991-8a59-83e8b3c3fa32/37551396521.pdf
    • https://uploads.strikinglycdn.com/files/4f523958-6b6f-40ea-bd1a-2e8b22acadda/zirifaxiwoza.pdf
    • https://56076a71-1b70-41e8-afe1-d547c394b4ee.filesusr.com/ugd/ab0d05_6088cec7e740460480206f55b5aeb64f.pdf?index=true
    • https://c84ffda1-e72a-45fa-8ce8-a771970cf326.filesusr.com/ugd/9fd656_869bdc9364cc4f888a64fbc5963f386e.pdf?index=true
    • https://s3.amazonaws.com/fizufapu/9239185458.pdf
    • https://63150c49-9e7f-4923-bc7a-1e4049050ce6.filesusr.com/ugd/cba449_ffd8a1cea0224dd587fdc730430875f0.pdf?index=true
    • http://xaviwawav.epizy.com/zivikubedutukasuvofibi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da84.bin
a77dabda5213a28f5db7f7146e99c1b5b1d2afa20c82fdff1648638cfa59bc9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA84 5540 bytes
font_01_sfnt_off0000ed2b.bin
0c8fac55e954fd1b28709b248c565d6e8151120a52cc16acc6a33304389e697f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED2B 11024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.