Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4f73d052e9c969d…

MALICIOUS

PDF

210.2 KB Created: 2021-03-29 23:11:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9a5319b102e56166a22434f5e087014e SHA-1: 11a5bea0a3008bace7c04cf14a68d256cec52e49 SHA-256: d4f73d052e9c969d8bf9912fb1e7993d97738febd18a9927be0f374e1259d595
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document was flagged by a machine learning classifier and ClamAV as malicious. It contains heuristics indicating it's a password-protected archive lure, suggesting the user will be prompted to decrypt and open a malicious file. The embedded URL and other extracted URLs likely point to the distribution point for the secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9927

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/aws?utm_term=what+is+a+liminal
    • http://neo-tp.ru/pebuxonukadowr1fp.pdf
    • http://lestyprin.online/bounce_back_loan_calculator_barclays8mxlp.pdf
    • http://smm-target.ru/how_to_reset_bunker_hill_security_password9e79g.pdf
    • http://gravkamen.ru/example_of_formal_chemistry_lab_reporthhsgp.pdf
    • http://esclick.pro/is_kerbal_space_program_2_cancelledp8tgp.pdf
    • https://static.s123-cdn-static.com/uploads/4459641/normal_5fee1b7067cc6.pdf
    • http://reduslim-shopofficial.site/sizaxilowopizp7x.pdf
    • https://cdn-cms.f-static.net/uploads/4450148/normal_60215f139ba16.pdf
    • http://mastera-saydinga.ru/luganutolukaznjhy2.pdf
    • http://about-central.com/75313527200lulb7.pdf
    • https://cdn-cms.f-static.net/uploads/4369308/normal_60243a59cb838.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://054d5c26-596f-48a3-87a7-0fc79031e5db.filesusr.com/ugd/599026_72b715095e6940cb8a97aa21bb80cc18.pdf?index=true
    • https://551f0ad2-75d1-4009-b90b-2f3e3e20230b.filesusr.com/ugd/c2bf0a_c1f0069c86754614bb45a537773891b0.pdf?index=true
    • http://gebuzabode.epizy.com/ascaris_et_ascaridiose.pdf
    • https://ad858f6a-7bbb-416d-9365-e04d7986ed9b.filesusr.com/ugd/3c9ac1_83bf5d87ffd540e7a39aa791664770da.pdf?index=true
    • http://tukekutiwele.rf.gd/30857262405.pdf
    • https://438e95ed-c264-4db5-88d3-1a9ca8b91b86.filesusr.com/ugd/733c1f_5cac45b796fd46838722c49edde8b7f7.pdf?index=true
    • https://6131fb9f-3080-406c-a6ab-c4686b6a2f6f.filesusr.com/ugd/52be6f_bbb5cd81403a41e095634152a977594d.pdf?index=true
    • https://3f5765b5-411c-4b28-96d1-a1e3b219bcee.filesusr.com/ugd/ca847e_0b5bb5c033384f12a455a701bdf57c60.pdf?index=true
    • https://d80868e2-5d34-4dda-9345-0396294a35aa.filesusr.com/ugd/f9fac6_3c5e3ab91b6948bbb19cc224e2a385ed.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002c8db.bin
a387e76a9e23f8cf08699a6f9d868de11692c67b9009067e46fca3e11a7e2dab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C8DB 10912 bytes
font_01_sfnt_off0002ed22.bin
13e4d55749e072013ad1135fcd66ea86b365067197bab95d4a3faf47ec2129a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2ED22 4400 bytes
font_02_sfnt_off0002fbd5.bin
75f5857babd44bcf5a9772cc349fc99b07f51cea71c3cf10b0a83bce0c4879b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FBD5 15316 bytes
font_03_sfnt_off00032abf.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32ABF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.