Malicious PDF — malware analysis report

Static analysis result for SHA-256 da811021d61db0b7…

MALICIOUS

PDF

80.5 KB Created: 2021-04-21 21:56:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c6dce5459d317721601ff5253b29fee4 SHA-1: b4b442650a2aeee7c19390ae27a642ad8ea1b30d SHA-256: da811021d61db0b729ce9fcf39792efe296c6d60e5603d210f808278752a2332
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains a URL pointing to a malicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also strongly indicated maliciousness. The document body, though heavily obfuscated, appears to be a lure related to smoking wood chips, likely intended to trick the user into visiting the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/strik?utm_term=do+you+soak+the+wood+chips+before+smoking
    • https://static.s123-cdn-static.com/uploads/4382961/normal_5ff7651252512.pdf
    • https://cdn-cms.f-static.net/uploads/4387229/normal_5fd832ee37e2e.pdf
    • https://cdn-cms.f-static.net/uploads/4489054/normal_5fe853b9131f8.pdf
    • https://cdn-cms.f-static.net/uploads/4376850/normal_6019cfd44262f.pdf
    • https://cdn.sqhk.co/zapimafe/idXZeja/minecraft_small_world_seed_pc.pdf
    • https://cdn-cms.f-static.net/uploads/4449170/normal_60435de016d14.pdf
    • https://cdn.sqhk.co/feduvefas/iihi9hf/zimsec_a_level_history_questions_and_answers.pdf
    • https://cdn-cms.f-static.net/uploads/4466172/normal_5fd77ee2052c4.pdf
    • https://cdn-cms.f-static.net/uploads/4405651/normal_6019c6ac03736.pdf
    • https://cdn-cms.f-static.net/uploads/4408707/normal_601fa88897721.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://2b08c346-38d8-4763-b559-bb9d4fff2313.filesusr.com/ugd/40c9d6_d48ba1aa811345438ec7f652397fe278.pdf?index=true
    • https://s3.amazonaws.com/pazovugal/kurowajuxadusa.pdf
    • https://uploads.strikinglycdn.com/files/e85be7bf-140c-4e17-b8f0-7d00b5e5496a/m50_gas_mask_bag.pdf
    • https://uploads.strikinglycdn.com/files/5ae25aee-e275-4209-a9b4-08a35d26570e/que_estatura_tiene_eva_luna_montaner.pdf
    • https://s3.amazonaws.com/vabedafozo/1847977158.pdf
    • https://s3.amazonaws.com/kavugusepe/21827350421.pdf
    • https://ab25a8b3-4d80-4d4b-93a1-c1347014fa7c.filesusr.com/ugd/8d0191_1d6299ae32fb4e348d32f510991b53d6.pdf?index=true
    • https://s3.amazonaws.com/tinezedu/74487639630.pdf
    • https://uploads.strikinglycdn.com/files/70970bdf-40c1-4379-8f51-faabe656f751/what_are_the_big_ideas_of_social_psychology.pdf
    • https://bdee3e82-1fe6-4084-b289-f15f5249f83e.filesusr.com/ugd/749937_b10083e7c4f84a1e9172ba6c34417abb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d2d34a8a-de83-41f1-b099-984f44b55738/attack_on_titan_season_3_part_2_summary.pdf
    • https://uploads.strikinglycdn.com/files/7c5ff2c5-5024-4098-b65e-6f44ae768866/how_to_get_a_georgia_realtors_license.pdf
    • https://1c684d3d-b1aa-4d58-8f8e-408f9cf37fac.filesusr.com/ugd/64d889_b99e336b971942d0b088d64c57c2aac7.pdf?index=true
    • https://s3.amazonaws.com/fizaxo/jaguzoxuta.pdf
    • https://c145ee04-3c3b-4786-8b94-e0511401b322.filesusr.com/ugd/de65f7_023b61fb13264d7f8e396fc667dddd1c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f918.bin
49e40038d11f1e0e781b2977245e9039749f738b8df8b1b6b72a366756972742		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF918 5936 bytes
font_01_sfnt_off00010d44.bin
95239a2aa2038f80497017e7f31540a69e228b5bfd6456d4cb0870ddb910da04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D44 11500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.