Malicious PDF — malware analysis report

Static analysis result for SHA-256 cdd95127b4ee78db…

MALICIOUS

PDF

73.1 KB Created: 2020-11-28 07:57:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2700c12dc32b790f527493200f7edd90 SHA-1: d1d3e7f27f0f27aa1d9f1423a19effedb4a93d81 SHA-256: cdd95127b4ee78dbcdffbd2c21f459bffe20583b41332d4a9c9b5be5b587ff79
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL leading to a suspicious domain, identified by heuristics as an external URI and flagged by ML classifiers and ClamAV as malicious. The document body, though heavily obfuscated, contains text related to 'Poptropica astro knights puzzle' and the authoring application 'wkhtmltopdf', suggesting a lure. The presence of an external URI and the ML/ClamAV detections indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/123?utm_term=poptropica+astro+knights+puzzle
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/regovadeje/famumujoneminodefokiziduw.pdf
    • https://s3.amazonaws.com/rekorewexidiwo/joledanaleve.pdf
    • https://s3.amazonaws.com/betefowubevat/triangulation_in_qualitative_research_flick.pdf
    • https://s3.amazonaws.com/tojabixefova/anjaana_anjaani_full_hd_movie_filmywap.pdf
    • https://uploads.strikinglycdn.com/files/9f0f29d3-d027-4d0d-a830-edb0887a375b/45836890695.pdf
    • https://uploads.strikinglycdn.com/files/527faf4e-414b-474b-a850-34e584b7918b/ethiopian_driving_license_written_exam_practice_questions_apk.pdf
    • https://s3.amazonaws.com/nisiwanolom/bosawofixaju.pdf
    • https://s3.amazonaws.com/xuvamuba/lab_safety_powerpoint_worksheet_answer_key.pdf
    • https://s3.amazonaws.com/zusevamasor/ballerina_full_movie_hd.pdf
    • https://s3.amazonaws.com/nevovumowa/dsl_reports_start_tv.pdf
    • https://s3.amazonaws.com/bodepova/64626226457.pdf
    • https://s3.amazonaws.com/wixanarer/gufusezeriw.pdf
    • https://s3.amazonaws.com/tulosa/berger_paints_color_chart.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2e7.bin
f21b700c7801641d18327f4cb14d3fd41e587b746235effa19dc6ed3be9fe9d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2E7 5312 bytes
font_01_sfnt_off0000f4fa.bin
e25d152203c063c03fc98fb3352ab763759c5d39bfa7351f9390d99f7fb94099		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4FA 10100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.