Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1591211bac6fabc…

MALICIOUS

PDF

71.8 KB Created: 2021-04-02 16:18:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: c2d19847d36b06446d1a595adddc3be4 SHA-1: d35122d2fb3388704080114deb9d141d57ac8792 SHA-256: d1591211bac6fabc17bd3cf8c84c67a119a1368afaab9f41dded5b96c197634b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URI pointing to a suspicious domain. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be related to product search terms, suggesting a lure for phishing or malware delivery. No scripts were extracted, but the presence of an external URI is a primary indicator of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/strik?utm_term=casio+w-201+strap PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4476567/normal_603437c442688.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446273/normal_60520dcb19a8b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4413346/normal_605d7a0e76ce5.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/81fc3396-925c-4c8c-b4d4-ba5bf11eb8ae/campo_laboral_de_la_psicologia_clinica.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/18ff21f2-4dd7-4b0f-b3f2-468da1dbe416/skyrim_multiplayer_mod_xbox_one_release_date.pdfIn PDF document text
    • https://3557a179-a1ee-4801-a209-85ad6f504536.filesusr.com/ugd/9c409a_e133478fb0294f57bab437cdde9bf6c8.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/toguvaju/77180131829.pdfIn PDF document text
    • https://d5fd0048-bb8d-45a1-ba21-28d1cb0b7162.filesusr.com/ugd/5e8de6_8ee3be4353bd487f9b86d42e9739401f.pdf?index=trueIn PDF document text
    • https://fab88ded-2f12-46c9-b6ec-f290036286cc.filesusr.com/ugd/cce69c_863e46c639d7491abc2f148b4f698d8d.pdf?index=trueIn PDF document text
    • https://uploads.strikinglycdn.com/files/0475d0a0-5206-46e4-9039-433b392f8b2e/whirlpool_wher25_parts.pdfIn PDF document text
    • https://caf0f927-206f-4b4e-aa34-0dd3da53679b.filesusr.com/ugd/83d902_34e3dd7008ef4ed89756b64bb53189c9.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/bulolimepol/sharp_32_inch_hd_roku_tv_review.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45c83f5e-ac1c-49c5-89c2-0372466bdf0b/runaway_alice_munro_quotes.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fda0f93f-9dd6-4bb3-b7b9-ff6850a71316/98913742539.pdfIn PDF document text
    • https://s3.amazonaws.com/kagedatabujo/blacklist_software_for_mobile.pdfIn PDF document text
    • https://s3.amazonaws.com/mexijegedakol/2018_ferrari_california_0-60.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c2f7a17e-0311-4aa8-8a4e-babb08958ae3/51840194288.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/60e91142-683b-4a9e-89fb-559bfd0a8d4d/operating_life_cycle_costing_ppt.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c923.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC923 6548 bytes
SHA-256: 370b63e99b3bc2c1d8b7a2bfc1693e0257dccade0e64e814f912f9e1c3af29e8
font_01_sfnt_off0000d979.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD979 5136 bytes
SHA-256: 57e2d7ede46347f9f523c5bd1340955879e51b60aa905344d9b1a415e8467613
font_02_sfnt_off0000eb19.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB19 10908 bytes
SHA-256: 38e06e0093db9ad802b6ba78e5fadba2b1ce4f13037f7038501abb50e8c21d40