Malicious PDF — malware analysis report

Static analysis result for SHA-256 cce9e54b136663cb…

MALICIOUS

PDF

88.7 KB Created: 2021-03-29 23:55:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a6c5a64265b5080799261913ed73f3e2 SHA-1: 9904c987b883b49d7a1c3e8a06e8368dac8478c1 SHA-256: cce9e54b136663cb920f4e917fc462d99ae2fdd02cb6220c7c7cdc56865adc6f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded URLs, one of which is flagged as malicious and attempts to lure the user with a keyword related to 'Spymaster pro apk'. The ML classifier and ClamAV detection strongly indicate malicious intent. No scripts were extracted, but the presence of malicious URLs suggests the document is designed to redirect users to a phishing or malware download site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=spymaster+pro+apk+%25D8%25AA%25D8%25AD%25D9%2585%25D9%258A%25D9%2584
    • https://cdn.sqhk.co/nufomewo/qiIjfhh/ninja_games_fighting_club_legacy_mod_apk.pdf
    • https://static.s123-cdn-static.com/uploads/4492915/normal_5fe495ff0f967.pdf
    • https://cdn.sqhk.co/lojibuwe/fujfEij/grimvalor_act_2_apk.pdf
    • https://static.s123-cdn-static.com/uploads/4476947/normal_5ff4fa9b757db.pdf
    • https://cdn-cms.f-static.net/uploads/4493917/normal_605ac6cfab1dd.pdf
    • https://cdn-cms.f-static.net/uploads/4393641/normal_601ac627539a4.pdf
    • https://cdn.sqhk.co/mirusopujame/ENieFvh/1859001408.pdf
    • https://cdn.sqhk.co/noxomosanena/XG6vLjf/12157006043.pdf
    • https://vamalogobiw.weebly.com/uploads/1/3/4/6/134696595/bb7d32f52e90c.pdf
    • https://mekowoto.weebly.com/uploads/1/3/0/7/130738632/049531778e578a9.pdf
    • https://cdn-cms.f-static.net/uploads/4449395/normal_6049362ac1a15.pdf
    • http://donbetosstreettacos.com/washington_wizards_jerseys_2021wv6s5.pdf
    • https://tugofemupufere.weebly.com/uploads/1/3/4/5/134584107/6492349.pdf
    • http://blacklaser.ru/full_hd_cartoon_wallpapers_for_androidr5r5h.pdf
    • http://xulubapatoso.scienceontheweb.net/hp_8440p_laptop_price_in_bangladesh.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6a716f48-fb74-4cd8-b563-85a19174f3bc/how_to_size_mini_split_ac.pdf
    • http://luxupovokajaf.onlinewebshop.net/53216656020.pdf
    • https://uploads.strikinglycdn.com/files/372e17c6-865f-4111-a7f4-a6b44454de2b/81620477388.pdf
    • https://uploads.strikinglycdn.com/files/453fd855-6094-41be-9067-508cefd2cb8d/chartered_financial_analyst_career_path.pdf
    • https://uploads.strikinglycdn.com/files/d331fa7f-8884-4e00-8432-0db03766884a/totin_chip_requirements.pdf
    • http://pekiluji.atwebpages.com/gisogojapusoxu.pdf
    • https://uploads.strikinglycdn.com/files/5dd73601-87ec-4692-9fd0-9e504f883166/everstart_maxx_k05_user_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea60.bin
3423ad2e2f1e5ec5ba37734c871cab9206e55d80ccde78405465fba845ade6af		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA60 5200 bytes
font_01_sfnt_off0000fbfe.bin
4742f24420b8ae8f6f65655213a30062e1d911fa434572d0b35da360d3ac1a17		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBFE 11504 bytes
font_02_sfnt_off0001222c.bin
7c07b4e260f2e53ef40bcca67d44bb0160af2f8cbf348bf67b565194510934d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1222C 16688 bytes
font_03_sfnt_off00013970.bin
31587ed480a1c55d11bcfbc407ae1a9315080a1f7a90989b9790c48841ca79f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13970 17320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.