Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6746a47c6ca59b4…

MALICIOUS

PDF

72.7 KB Created: 2021-05-31 10:10:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 1026aea036f4aaf575dc51c6daaf8f43 SHA-1: 74be04809423754f4bf975ece438c26d14643d99 SHA-256: d6746a47c6ca59b4c8971c9dde8c5bffe26c98ee9b979a9e572df9a5bbd0dba3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xajibur.ru/123?utm_term=canada+passport+application+renewal+form PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4489412/normal_605307b380831.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366397/normal_603c17e42c17d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4411709/normal_5fcc72abbb1d5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4374847/normal_606731e205018.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4424985/normal_5fc69d58a38a8.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369487/normal_6045f847bbfe6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446759/normal_600d8a3ab3a7f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4414161/normal_6042d7c7970b5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377938/normal_604f14cd539a5.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4378379/normal_606b3a7e31a1b.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495858/normal_60208b9c1ef57.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4425211/normal_604d7e3f3f533.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/31639b5b-2023-4d90-bbe5-bdfded260327/are_potatoes_good_for_dogs_with_liver_disease.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/430282e0-5cc6-4c80-b01e-3f807fc48a8b/palme_yaynlar_11_snf_biyoloji_soru_bankas_zmleri.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f7750d8d-15ee-4a2e-8fdb-7134bb3c7f86/co_active_coaching_questions.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/92aef1dc-b857-4882-aa42-73715a3f3d2c/top_bookshelf_speakers_for_home_theater.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/dfb67ebb-8fbb-46ec-b97d-172c2d9bb3ff/nawuwizinuzodogovubo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f2884063-9bbb-4ade-ac82-4564e1ce0d56/how_to_hook_up_ilive_soundbar_to_samsung_smart_tv.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3cfb89d9-6f2b-4de3-af0b-ddf1c14757d5/ziletukufeduvawe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1a6bd343-1af6-4fd0-93c9-230686981ee3/gigerukobe.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/30271d89-5818-4094-bf84-fd3ce7c898a4/85872477395.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5311e231-5175-47d4-b427-aa5bf23ccaea/rijadubigixatok.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d86717f6-2340-4df7-b822-4d11fc0b35c3/tulej.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/da6f6265-fc53-4b26-a141-e72a5dc9c8b4/jogororijagenutovagezejoj.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de9d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE9D 5296 bytes
SHA-256: 8c1dbe83d3e877bc508781bfe99cb42a5a360582586cad10217d2800d958a17f
font_01_sfnt_off0000f09e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF09E 10744 bytes
SHA-256: 2aa2650da711e0452bfa69b45ee9aec9b4e8f08d18054a0781589a17fde79092