Malicious PDF — malware analysis report

Static analysis result for SHA-256 c79adf9094dfbfa1…

MALICIOUS

PDF

76.4 KB Created: 2021-04-07 02:02:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 04ebfd4066561844f2effe02a9b4d77d SHA-1: 6ea861fcc9c5532ea1cc7138b1609367c9271d54 SHA-256: c79adf9094dfbfa1defdbe874cdf472cdef6a8a90db04d6ea5b0a845fb623c05
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that directs users to download a file, masquerading as a free download for a mobile game. This is a common phishing tactic to trick users into downloading malware. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=gta+ios+apk+free+download
    • http://memisada.mygamesonline.org/putapanarafi.pdf
    • https://cdn-cms.f-static.net/uploads/4443326/normal_602704ef18fb1.pdf
    • http://vuroxinizona.scienceontheweb.net/metode_riset_akuntansi_keperilakuan.pdf
    • http://kamefutebiwef.mywebcommunity.org/plano_cantabria.pdf
    • http://davupopebuwiser.sportsontheweb.net/karexaloxomazejaso.pdf
    • http://xuzotudaraderuf.mypressonline.com/xojemowozojesusa.pdf
    • http://luxasireku.sportsontheweb.net/how_do_you_adjust_an_invisible_fence_transmitter.pdf
    • https://static.s123-cdn-static.com/uploads/4408584/normal_6001cdf4c786f.pdf
    • https://cdn-cms.f-static.net/uploads/4368978/normal_600fd2f44c591.pdf
    • http://finuxezanasa.mygamesonline.org/calendar_for_september_2020.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://f608bf75-187c-4b28-9621-af925c05c2b6.filesusr.com/ugd/05e3ad_1ab462e5e6cc410e8c762063d599639f.pdf?index=true
    • http://rofuvawitarul.atwebpages.com/be_merciful_o_lord_angrisano.pdf
    • https://1fc3e790-19e1-43b7-bae7-d09a953f51fe.filesusr.com/ugd/2c608b_0ce4afeb71714060bc0b519cdf3bda2b.pdf?index=true
    • https://41be308f-8a64-4dec-8b30-4937605be974.filesusr.com/ugd/f042fe_f699206604ce41378e67f2c0fc62ac0b.pdf?index=true
    • https://e4dd5bf8-bd13-43e3-b37b-9624b2564f03.filesusr.com/ugd/093416_78b2ecbbc2e34a25abffde6abbf47803.pdf?index=true
    • https://f8d4b294-f952-4a11-85e8-0a3036f9bdaf.filesusr.com/ugd/ad8f3a_593b1bc18605414bb90ba4c3fca483d8.pdf?index=true
    • https://ddb0fe67-a09a-413d-b59a-c21b1dde3186.filesusr.com/ugd/3f0e57_941ce956ad1d4c50a9598dff7aef0e49.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8ad4c7b0-2f96-48a4-8144-7dcdac404072/how_to_use_a_car_key_programmer.pdf
    • https://f62a3995-63c1-43d8-9567-a18c4730807f.filesusr.com/ugd/b1277d_5d0a9097fccb4e49a85084ddbfec710b.pdf?index=true
    • http://ligiwekuxote.myartsonline.com/teaching_strategies_in_mathematics.pdf
    • https://2a984544-7cb8-4a4d-9f60-e686f7994e39.filesusr.com/ugd/1434d3_b2494a1aa57e4f7694326927a592368e.pdf?index=true
    • https://6c8027e1-9878-41b3-a9ef-32ba2b6bcd02.filesusr.com/ugd/185811_01505c34af7d4b48a3adc6f442fd56d1.pdf?index=true
    • https://uploads.strikinglycdn.com/files/8a5ae2e9-d7cc-4fc0-863b-b32bb539ed0f/zig_ziglar_books_in_hindi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edb3.bin
5d263ba2ed7c0e99c7a58532448ef1ce8aa9a93b2f2cd3bed067e9a002aeda2b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDB3 5220 bytes
font_01_sfnt_off0000ffa1.bin
351358925b99e380a6d082bf7703297ffa3e2050efb58fe9ad1738c09089e510		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFFA1 10648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.