Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2fac530ce1de6ce…

MALICIOUS

PDF

152.4 KB Created: 2021-05-06 20:47:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 219e7efeae84885044b0c861f9c664f6 SHA-1: d1b57ec992b403b06a4ed842a323ce2926d58935 SHA-256: d2fac530ce1de6ced6c064dc47249c8bf6c7d2fb9b26a0f5995baa8c1584c5b8
224 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains multiple heuristics indicating malicious intent, including ML classification and ClamAV detection. It employs social engineering tactics by luring the user to install a browser extension or plugin, and uses urgency to prompt action. The document also contains a link to an algorithmically generated URL, likely serving as a download source for a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=bullet+point+formatting+in+illustrator
    • https://www.ogblfrontaliers.fr/wp-content/plugins/super-forms/uploads/php/files/qofvqukongstu61ohf5afdm840/jokuduruzasalipevumovolas.pdf
    • https://calldidocta.com/wp-content/plugins/super-forms/uploads/php/files/345ec3ee9c4f3a129680eed703e68679/45465278519.pdf
    • http://www.icodar.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cbd75c3694---wiminifibubonakesusufi.pdf
    • https://www.colegiodesafio.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/16075e26a3aca6---90565195161.pdf
    • https://sipare.com.ar/wp-content/plugins/super-forms/uploads/php/files/ue6i6bgqsva28jfhac2b7pv2o3/vewitasonosivedox.pdf
    • http://acecaalcoy.com/userfiles/file/5687663027.pdf
    • http://villa-carlshorst.de/sites/default/files/file/56977907432.pdf
    • https://rjiminfra.com/wp-content/plugins/super-forms/uploads/php/files/22fa7f65e4f4523a14b87017bd4c7466/nupuwisaxi.pdf
    • https://earthchartercities.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606c84cf246e2---97123802313.pdf
    • http://www.nbrownies.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606f4ac5eaf2d---jesovenazupewidawafapel.pdf
    • https://www.elementstraining.co.uk/wp-content/plugins/super-forms/uploads/php/files/uoir3r48ja0n32g85oig1oertb/3815390831.pdf
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/ri6pvi7f775fsbufnfumabsrf6/54474443462.pdf
    • http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/16078209539e53---54692849809.pdf
    • https://www.freshstartdigitalmarketing.com/wp-content/plugins/super-forms/uploads/php/files/b9f41fa7cbda55382783398ccc8bb71d/gupobufisawasibikotoma.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0001fefd.bin
5220ffea68c5012b6bd1b51d60ede54219427fde42b6eba6c65e6a2d79c6575c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1FEFD 4612 bytes
font_01_sfnt_off00020f33.bin
465540986c99b9a0c2d88b046718ab5d161336f90dba8105ecb5976752295ae3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20F33 5272 bytes
font_02_sfnt_off00022104.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22104 1800 bytes
font_03_sfnt_off00022991.bin
4e0fe11c2ed682b75f082388b1edfb158ae0f7cf4551445512db12d936aab979		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22991 12440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.