Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1de800b12910807…

MALICIOUS

PDF

386.6 KB Created: 2022-06-07 00:58:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2022-07-15
MD5: 2ed9bf623aedc04bb59ae131b90ddae0 SHA-1: 8f84f98dfa18c0104f96c3fbc2a6917424d7930b SHA-256: d1de800b1291080742881445c1c767918f9d7881d581b18cacc1bddabd1831f6
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The sample is a PDF file identified as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to a suspicious domain, disguised with a search query related to 'survival craft'. This suggests a phishing or social engineering attack aiming to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6448

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lovig.co.za/XSRYdR1H?utm_term=survival+craft+crafting+guide+recipes+list
    • https://dejigusadimegog.weebly.com/uploads/1/3/4/3/134324817/3a0700d2753.pdf
    • http://www.anieliasfx.com/uploads/textareas/file/96753906926.pdf
    • http://uniquehotelsolutions.com/files/others/luzit.pdf
    • http://siva.re/app/webroot/js/kcfinder/upload/files/nofixelozirel.pdf
    • http://isitekmuhendislik.com/userfiles/file/pasuradepomewaborori.pdf
    • https://pubixewamobuvu.weebly.com/uploads/1/3/7/5/137515712/8473693.pdf
    • http://anexbd.com/assets/ckeditor/kcfinder/upload/files/tejububegowojovulodogikuz.pdf
    • https://umutisi.com/umut/upload/files/78099990382.pdf
    • http://guide-eq.com/userfiles/file/20220520150205_11ri1w.pdf
    • https://pebogifi.weebly.com/uploads/1/3/1/4/131438694/fesiloxulojenoxikez.pdf
    • https://muwikoli.weebly.com/uploads/1/3/2/7/132740525/nalapivilixubutisu.pdf
    • http://cleanyachts.it/writable/public/userfiles/file/3918002970.pdf
    • http://hbtsap.com/Upfiles/news/file///dalebivijijasub.pdf
    • http://nhuaduongnhapkhauaz.info/upload/files/73048626480.pdf
    • http://www.fliesen-brill.de/wp-content/plugins/formcraft/file-upload/server/content/files/1626122f31cc2e---48052793698.pdf
    • http://everestsherpatravel.com/demo/public/ckeditor/kcfinder/upload/files/91832742334.pdf
    • http://podarox.ru/public/files/72973257912.pdf
    • https://sanaspinler.net/calisma2/files/uploads/zobavajelewemu.pdf
    • http://volareinmongolfiera.it/userfiles/files/munonofa.pdf
    • https://rewusimivizegan.weebly.com/uploads/1/3/4/5/134578415/pubepo.pdf
    • https://jewfri.kr/files/image/files/35633618854.pdf
    • https://nobenala.weebly.com/uploads/1/3/4/3/134348336/59a19e.pdf
    • http://www.granito-terrazzo.be/ckeditor/kcfinder/upload/files/89380897015.pdf
    • http://z-i-f.ru/userfiles/file/giwomirokoti.pdf
    • https://spencershaulageltd.co.uk/wp-content/plugins/super-forms/uploads/php/files/742e938c8e1134f919d1b81b32127b63/nulutepo.pdf
    • http://police8coop.com/UserFiles/file/lovikogemajofakazigal.pdf
    • https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/2579d18bbd8888ca9f9e28a0a2ebe987/27910898270.pdf
    • https://xosizinunebazen.weebly.com/uploads/1/3/4/0/134017923/fa32f79d0930c.pdf
    • https://jatogogiv.weebly.com/uploads/1/3/4/4/134437993/vurepejefe-nokalawik-sulubem.pdf
    • http://eshop-kocicinadeje.cz/files/file/96292879986.pdf
    • https://sexanugujox.weebly.com/uploads/1/3/4/2/134266496/7868943.pdf
    • http://www.jhannahs.com/wp-content/plugins/formcraft/file-upload/server/content/files/1627ee6e9259bc---sexaxivuronotewon.pdf
    • http://t-eamplus.de/web/editor/files/gazofatefufeki.pdf
    • http://elmarahtravel.com/public/kcfinder/upload/files/11102846951.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000597d6.bin
d191e9c4ca94cda43e695ccea1a704fbe2eb736565e4e27651047dacf9b0d594		 pdf-font-stream PDF embedded font (sfnt) at offset 0x597D6 19244 bytes
font_01_sfnt_off0005c950.bin
bc0726263ffe3a65ff4253aafd7596305231bca1e3a0834d950a6eb22697f2e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C950 10916 bytes
font_02_sfnt_off0005e27d.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E27D 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.