Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb372cc96c7c8362…

MALICIOUS

PDF

78.8 KB Created: 2021-04-05 00:26:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2338018e7d5f7ac369a5b118a5050066 SHA-1: 230527ccb07433f566148d5aa1ce5b4df5b15dd7 SHA-256: cb372cc96c7c83622592cb9579a1a24ed52fba7eabacfef6a6f4ba163b590b6a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URI pointing to a URL that appears to be a lure, disguised as a search result for an image. No scripts were extracted, but the presence of external URIs and the phishing classification strongly suggest a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=world+map+outline+high+resolution+png
    • https://cdn-cms.f-static.net/uploads/4479254/normal_606143a08ff58.pdf
    • https://nopeludaseji.weebly.com/uploads/1/3/3/9/133986928/getutamuli.pdf
    • https://cdn-cms.f-static.net/uploads/4408704/normal_60679d8a0f340.pdf
    • http://sawalaxal.66ghz.com/valentines_day_images_hd_2018.pdf
    • https://gukejokofa.weebly.com/uploads/1/3/0/7/130739315/8461132.pdf
    • https://cdn-cms.f-static.net/uploads/4464083/normal_604ad29f6080a.pdf
    • https://static.s123-cdn-static.com/uploads/4460060/normal_5fc7fe124973a.pdf
    • http://bejuzoz.iblogger.org/mosubekifamibewun.pdf
    • https://mitojebani.weebly.com/uploads/1/3/2/7/132711961/6beeaa8468.pdf
    • https://tajonerimokop.weebly.com/uploads/1/3/4/8/134879789/dajujibodox-romiren-xuzotega-gisipuwile.pdf
    • https://tikobivit.weebly.com/uploads/1/3/1/3/131382680/9a3594e81e29d01.pdf
    • http://siviveko.getenjoyment.net/6048420549.pdf
    • http://volalagokiva.sportsontheweb.net/bottleneck_and_founder_effect.pdf
    • https://cdn-cms.f-static.net/uploads/4387224/normal_5fd9b4970e8a1.pdf
    • http://zosazufinur.mygamesonline.org/ergonomics_definition.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9e4124da-ce79-4200-8cb0-24ec8a960f13/homdox_3000_psi_pressure_washer_reviews.pdf
    • https://uploads.strikinglycdn.com/files/2613fb4f-1a8f-478f-af2f-36b9403b91f4/how_to_write_a_critically_appraised_paper.pdf
    • https://uploads.strikinglycdn.com/files/a02add05-ec4b-447c-84dd-a49aa503ac6f/samsung_ce0168_manual.pdf
    • http://luvoxijamubisur.rf.gd/lilinoz.pdf
    • https://uploads.strikinglycdn.com/files/df32dda1-b103-4316-a96c-dd5c0727e17f/19064144406.pdf
    • http://joxigonulalotip.rf.gd/vishnu_sahasranamam_telugu_free_download.pdf
    • http://pazepoxi.atwebpages.com/kevagopewi.pdf
    • https://uploads.strikinglycdn.com/files/11fad1ff-982b-4361-914e-985ac6680357/who_is_the_poorest_person_in_the_world_today.pdf
    • http://wegugoleta.onlinewebshop.net/stihl_ts_420.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f899.bin
fb1c56abcbe763da1743cfb6278370908e7dba4051965e48f0d0151a9ae5b967		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF899 5384 bytes
font_01_sfnt_off00010ac4.bin
979fe41984746c5836cdbb8fb6feca716592a9eb228debf622257f9f8d963639		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AC4 10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.