Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6a1993c34177ca1…

MALICIOUS

PDF

117.8 KB Created: 2021-03-11 17:17:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d8458892b8d10bafee57902e062d03fe SHA-1: b2542082b76a303c5c13a0b70aef945b8f7e3937 SHA-256: d6a1993c34177ca17dfa70e3e12f2d0694c36c77cbeb38b392c6ad59eeadaa3b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain. Heuristics indicate the presence of external URIs and a high ML score, along with a ClamAV detection for a phishing trojan. The document body, though heavily obfuscated, suggests a lure related to photography, likely to trick the user into clicking the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=the+decisive+moment+henri+cartier+bresson+pdf
    • https://cdn-cms.f-static.net/uploads/4470981/normal_603f94af00912.pdf
    • https://cdn-cms.f-static.net/uploads/4480145/normal_602b056c30acd.pdf
    • https://static.s123-cdn-static.com/uploads/4403263/normal_5fc6d52dbe923.pdf
    • http://judugasolunived.22web.org/26339819365.pdf
    • http://pozufopajosel.mypressonline.com/86237053901.pdf
    • https://static.s123-cdn-static.com/uploads/4447434/normal_6002859328086.pdf
    • https://dezubawutojowi.weebly.com/uploads/1/3/1/3/131398539/barapadarijo.pdf
    • https://sozatoma.weebly.com/uploads/1/3/4/4/134484551/fuwimesopafif.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/85e6b0bf-92c7-44af-9814-a28e0e376bd5/what_is_the_average_family_income_in_minnesota.pdf
    • https://uploads.strikinglycdn.com/files/38df5c96-b964-479d-a7ab-8198bff6427d/44494743516.pdf
    • https://34e223d5-b18a-4f89-96b3-7c58aa965d90.filesusr.com/ugd/440e29_07a9043885234bbaaa4cf9f265451364.pdf?index=true
    • http://siselugezov.rf.gd/bluebeard_fairy_tale.pdf
    • https://02274cc9-8b57-4441-be19-e46c089ec46b.filesusr.com/ugd/f11b8f_e020683f40b14d06895b582c7e707a69.pdf?index=true
    • http://lagixilutami.rf.gd/fowaxokos.pdf
    • https://ba30dffa-51fe-4caa-9472-6f142403a9bb.filesusr.com/ugd/c2007e_9c258cdec49e41faa40ee242daf4609d.pdf?index=true
    • http://vuzuwukef.atwebpages.com/microsoft_word_two_documents_side_by_side.pdf
    • http://bedekopezedegej.rf.gd/bass_trombone_jazz_sheet_music.pdf
    • http://tulifal.onlinewebshop.net/59104695217.pdf
    • https://uploads.strikinglycdn.com/files/74c752dc-84d3-4a15-b700-d9875f0bfc10/what_is_kants_copernican_revolution_in_philosophy.pdf
    • https://3b0fe5ff-7f86-489c-8138-fc984e51136c.filesusr.com/ugd/bfd78a_58e0e9ceb3aa4d77a143716aa9714657.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d5857f44-cee1-4fe9-a6c3-7cfd2d683f1a/wefudig.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000193e4.bin
a6141d29a232ec04799689accd1768b14fb722a637234546aa05de0ed3f164c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x193E4 5512 bytes
font_01_sfnt_off0001a674.bin
1791ab12f5f59a9364b54bd6fb39a094c4fd273fa36e84e445b7331e7c61c340		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A674 10316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.