Malicious PDF — malware analysis report

Static analysis result for SHA-256 d70f4190bac72498…

MALICIOUS

PDF

80.3 KB Created: 2021-04-10 04:15:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: 1000d30bfbc4c0fa2a8415bd21b130e4 SHA-1: e6c689c70884a7784c5ce03ee2b400afd9ca11b7 SHA-256: d70f4190bac72498954260736b1eb0ae58ad9328804fd51a537af8088c86baba
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL, https://xezojetit.ru/strik?utm_term=mantis+rototiller+won%2527t+start, is likely used to deliver a secondary payload or redirect the user to a phishing site. The document body, though heavily obfuscated, contains text that appears to be a lure related to a 'Mantis rototiller'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=mantis+rototiller+won%2527t+start PDF link annotation
    • http://vozajomaralamer.mygamesonline.org/bukapanapiku.pdfIn PDF document text
    • http://rudovatimokasum.medianewsonline.com/gefosujunaso.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://xemunebo.atwebpages.com/68785526770.pdfIn PDF document text
    • https://s3.amazonaws.com/gonafoziguwewe/css_stylesheet_color_codes.pdfIn PDF document text
    • https://s3.amazonaws.com/sixolose/braun_thermoscan_5_ear_thermometer_reviews.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/08116ded-ee3c-45c5-9be4-24e17c3f86cb/asus_maximus_viii_hero_bios_update_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/16d0309c-0565-46ea-b6b2-74928b2abb1a/excellence_resorts_punta_cana_vs_el_carmen.pdfIn PDF document text
    • https://s3.amazonaws.com/tadevewuju/54255482811.pdfIn PDF document text
    • https://s3.amazonaws.com/kegovev/buku_agama_hindu_kelas_11.pdfIn PDF document text
    • https://s3.amazonaws.com/sesijesule/91851908135.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b5adfdb7-3560-4a0f-959f-74fe91ae88ec/define_verbal_communication_skills.pdfIn PDF document text
    • https://s3.amazonaws.com/rodiligarexo/dungeons_and_dragons_5e_player_s_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/385d760c-7aae-4aa8-b3a0-82c5804cee77/61969337872.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bbde97ea-0a0c-4ab5-bc8d-1df56d5209af/liwugivewusiru.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5f88111c-c5a6-4956-9886-5bb729abd097/numerical_recipes_in_c_3rd_edition.pdfIn PDF document text
    • https://s3.amazonaws.com/xeroguru/what_are_the_7_gifts_of_the_holy_spirit_with_meaning.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/58e9ece1-9e4c-41d1-8adb-dd5ba6f659eb/differentiate_the_characteristics_of_impressionism_and_expressionism_music.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a685369-9b08-4d78-ab82-c0f3d6fbc2b7/zikifexetuwajaziremegipe.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eef3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEEF3 4600 bytes
SHA-256: 38725e2c2d176b14962d212f8eb8ebac0c86a21233d587636677b6f3ec30e394
font_01_sfnt_off0000fea7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFEA7 10976 bytes
SHA-256: 978e34601ecc4bd244114f4ac84bcf8a79080707b8500ed46d4de6e562bbd0d7
font_02_sfnt_off00012421.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12421 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c