Malicious PDF — malware analysis report

Static analysis result for SHA-256 d96789dd537b9156…

MALICIOUS

PDF

82.9 KB Created: 2021-03-19 10:51:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 626ece976183bc33667ee3d06c91aa1f SHA-1: 254d2e55860ad3f1651eee2d2e09eba16425f728 SHA-256: d96789dd537b9156fac5474535f5445a19fbb4e7cfa90d04a8a3ec53da498817
136 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample is a PDF file flagged by ClamAV as a phishing trojan. A high-confidence ML classifier also identified it as malicious. The document contains a heuristic indicating a 'Clipboard command execution lure,' suggesting it prompts the user to interact with the command line. An external URI was also extracted, which may serve as a download or redirection point for a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=2007+mazda+3+manual+transmission+speed+sensor+location
    • https://cdn.sqhk.co/pasivuzuke/igvhgge/vesusulo.pdf
    • https://cdn.sqhk.co/sifalavuxozo/aQidges/jajubagudobazu.pdf
    • http://sepibuzare.22web.org/rawl_bolt_drilling_sizes_guide.pdf
    • https://cdn.sqhk.co/xerolunem/gfVjjid/easy_frosting_recipe_for_german_chocolate_cake.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tapexiw/40707059325.pdf
    • https://uploads.strikinglycdn.com/files/b41e23c4-d28e-424b-ac73-59baedb85f41/what_does_basc_3_measure.pdf
    • https://uploads.strikinglycdn.com/files/5872ace7-17e2-4d0f-9cdd-43ad40a681b0/lujekepuropu.pdf
    • https://s3.amazonaws.com/nuruvapozixix/moxatinurib.pdf
    • https://uploads.strikinglycdn.com/files/ab0dfdb5-fbcc-4182-af3c-002a08702ed9/netisuzofidirasebanezati.pdf
    • https://uploads.strikinglycdn.com/files/4ae8f576-6638-4aaf-b1ee-520160bfc1ca/85840915101.pdf
    • http://lojokedasu.rf.gd/rapport_sur_l_absentisme_au_travail.pdf
    • https://uploads.strikinglycdn.com/files/73e32135-1f3c-42b0-aba9-b959c65c825e/digumenodutuvapa.pdf
    • https://uploads.strikinglycdn.com/files/d84034c0-3623-4453-838c-dff7e9eef4cd/spelljammer_ship_stats.pdf
    • https://uploads.strikinglycdn.com/files/e8d1131b-767a-44ab-a4c8-d6c11345f28f/onkyo_tx-sr393_factory_reset.pdf
    • https://s3.amazonaws.com/jivuxo/what_is_the_fourth_book_in_the_after_series.pdf
    • https://uploads.strikinglycdn.com/files/61397422-3e47-472c-bf61-e00a62cb0789/army_drill_pay.pdf
    • https://uploads.strikinglycdn.com/files/9ad38b49-b46d-41e6-8d11-7d6adbaffd5d/mixed_berry_smoothie_recipe_with_yogurt.pdf
    • http://demunoj.epizy.com/project_report_on_cyclotron_for_class_12.pdf
    • http://dikewovob.epizy.com/excel_formulas_in_hindi_download.pdf
    • https://uploads.strikinglycdn.com/files/a284d0bf-222e-4d12-9732-cf7e8719047d/samsung_galaxy_s5_mini_att.pdf
    • https://uploads.strikinglycdn.com/files/3bdd48e3-ad8c-4a54-b84e-c23f7f4ca6d9/57902596911.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000103cf.bin
240607d0fc37dcc4c641a784767e56f18d0a2598615379de2d189eccb67b9aff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103CF 5692 bytes
font_01_sfnt_off00011723.bin
8c8050d877351f99a9a35792a84fc1fe18558a885090f2edf2dc38d22e8679cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11723 11436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.