Malicious PDF — malware analysis report

Static analysis result for SHA-256 d69b5b8043688f05…

MALICIOUS

PDF

101.1 KB Created: 2021-04-07 03:21:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2252a497c040d01f7bf7e99d10aee067 SHA-1: 4e79a6ef43128621319867f10c296532a2324050 SHA-256: d69b5b8043688f050fef5f4d9322c852bcdb6e198f3b39a4d7ba6d078a039e0e
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that uses a lure of 'worksheet answers' to entice users to click on embedded links. One high-severity heuristic indicates an image-heavy PDF with an invisible link to a suspicious domain, and ClamAV detected it as a phishing trojan. The primary malicious URL identified is http://managerprogram.live/california_proposition_65_list9260z.pdf, which is likely the payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=tapped+video+worksheet+answers+quizlet
    • https://cdn-cms.f-static.net/uploads/4416927/normal_606b25fa882f0.pdf
    • https://cdn-cms.f-static.net/uploads/4459165/normal_60217d493a6d2.pdf
    • http://goproits.com/nfl_2015_schedule_week_2_foxenzia.pdf
    • http://teachost.com/wadovusisemk4rym.pdf
    • http://kersita.fun/34860907175sy425.pdf
    • https://static.s123-cdn-static.com/uploads/4370304/normal_5ff5318f6380b.pdf
    • http://onsideball.info/penetrating_abdominal_traumabr7nu.pdf
    • http://reform-st.ru/731279315534zand.pdf
    • https://static.s123-cdn-static.com/uploads/4380539/normal_6008542f8452a.pdf
    • http://managerprogram.live/california_proposition_65_list9260z.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3b2cdc91-dda2-4d83-adc3-0bd88652ec8e/algebra_de_baldor_online_ejercicios.pdf
    • https://uploads.strikinglycdn.com/files/29b01459-323e-4f89-861b-0692fdcce2e2/reloading_equipment_for_308.pdf
    • https://s3.amazonaws.com/zuvovoxigumuz/sao_light_novel_vs_manga.pdf
    • https://s3.amazonaws.com/zulezov/what_is_construction_terminology.pdf
    • https://uploads.strikinglycdn.com/files/5c4839cd-680c-4005-9038-e465418f2b79/22292118022.pdf
    • https://s3.amazonaws.com/jupoti/how_to_cut_premium_vinyl_on_cricut_explore_air_2.pdf
    • https://uploads.strikinglycdn.com/files/d76759aa-663d-4440-93cb-98f61b693d37/91225407800.pdf
    • https://uploads.strikinglycdn.com/files/89ac4b59-3642-4973-ba85-e993eeeb3791/how_to_calculate_op_amp_power_dissipation.pdf
    • https://uploads.strikinglycdn.com/files/96ecc938-18a1-4ea5-8216-ada2d50e2c7d/xuxawuk.pdf
    • https://uploads.strikinglycdn.com/files/cc2e94bc-50ec-416c-ad02-71f82df2cd14/how_to_do_a_buzz_cut_haircut.pdf
    • https://uploads.strikinglycdn.com/files/67db141b-8f8c-4ffe-93e5-c3613f466b7e/40071736242.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011add.bin
2ebacec2301d02675a200f121a2d4f0cbd7f8ecce061a083d65c63f1926658d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11ADD 6552 bytes
font_01_sfnt_off00012b0d.bin
bbd4bd11c2b00a4e08f33106e2796f46e7d6c01fe11b2bbc69fd8ea0ebbd5017		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12B0D 5388 bytes
font_02_sfnt_off00013d70.bin
e8def34ef7fa1cd1e737aa53281a1ad4be732a20e453453846aa670fb207f4af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13D70 2044 bytes
font_03_sfnt_off000146dd.bin
32948e5a0bdfadce6b094f7f2b09532ed6c00801934a903c237c6d3e5dc5424f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146DD 11876 bytes
font_04_sfnt_off00016f70.bin
da8fe2d704f9f48e7f55fd63c1285d9b553f117ba1786b24caa2f8846a07fd0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F70 16516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.