Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce325e3a308562f6…

MALICIOUS

PDF

67.8 KB Created: 2021-03-10 00:20:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-13
MD5: 92549f2a5688dd4e6f9acbad0d41e37a SHA-1: 626b1f01789a1532e2ae54b74a6d3d031c247cc8 SHA-256: ce325e3a308562f64cc5ac1d4bad42ac4261d22da65ab4a1594f6392dbdd7421
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, and ClamAV detection indicates it is a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to 'Oregon road map pdf'. The presence of embedded URLs and the ML classifier's high confidence score suggest this document is designed to trick users into visiting malicious sites, likely to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/award?keyword=oregon+road+map+pdf PDF link annotation
    • http://de-bewertung-889562.icu/vokevetaxaf2zlcl.pdfIn PDF document text
    • http://jitokinut.iblogger.org/11073753350.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4387417/normal_5fe0f3dd12987.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4481819/normal_6008057c20061.pdfIn PDF document text
    • http://erethiztzj.space/my_factory_cake_tycoon_idle_tycoon_hackhhc3l.pdfIn PDF document text
    • http://rafale.store/83569941580mcq2b.pdfIn PDF document text
    • http://idealica-uficialeitalia.website/foxojam6gc3p.pdfIn PDF document text
    • http://kvyovk.xyz/simatic_wincc_runtime_advanced_v15_manual3k7qj.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://gusalixofunek.epizy.com/mind_blowing_maths_questions_with_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/muvazi/how_to_find_the_general_term_of_geometric_sequence.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1824a390-4f9f-45e4-a19c-1d7fbb16a1eb/autocad_3d_drawing.pdfIn PDF document text
    • https://s3.amazonaws.com/tokit/ca_course_full_details_in.pdfIn PDF document text
    • https://s3.amazonaws.com/gajakelegeza/easl_guidelines_hbv_2017.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c96ba4a-3857-4f24-8344-bfdd1a10b19a/what_does_3_hour_metered_parking_commercial_vehicles_only_mean.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4c6dd05d-a5df-4645-88be-79849a8e2e65/how_to_start_keto_free.pdfIn PDF document text
    • http://novozozoto.epizy.com/66204538926.pdfIn PDF document text
    • https://s3.amazonaws.com/podawakumepewez/45565329700.pdfIn PDF document text
    • http://tujanum.rf.gd/super_mario_bros_3_gba.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cc12.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCC12 5176 bytes
SHA-256: 1e0512f73c68888e8e8da9ddb6be69ea3046493e3cd38e4ce2b295a14c5ecfb6
font_01_sfnt_off0000dd98.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD98 10292 bytes
SHA-256: b7ecf22afa49bd093e88539c1d2786f640e0e7b1513bf032f02d336e4262e340