Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc6a4d67a7edb519…

MALICIOUS

PDF

81.8 KB Created: 2021-03-16 09:38:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3cb3b8dde83bc18d26836d2bfe98b382 SHA-1: bf77d974d0b316445326f89b8d589f49c399adbb SHA-256: dc6a4d67a7edb5198d05791014124f974680ea751d41ec38a183dc13b2f1dbd7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain. The ML classifier and ClamAV detection strongly indicate maliciousness. The document body, though heavily obfuscated, contains text related to 'safety first sail away travel systems' and the authoring application 'wkhtmltopdf', suggesting a lure to a potentially malicious website.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/wix?keyword=safety+first+sail+away+travel+systems
    • https://cdn.sqhk.co/tuxarulenogu/iiaXjhg/kebekodiwusigagen.pdf
    • http://jiwitoletazadag.iblogger.org/worakufesevetu.pdf
    • https://cdn.sqhk.co/pivugituxi/a4jfkNQ/xefowimozonafifevilatetef.pdf
    • http://verenica.net/why_are_the_two_strands_of_dna_called_antiparallel19f4d.pdf
    • http://vogujefaxuwel.22web.org/hotel_invoices_templates.pdf
    • https://cdn.sqhk.co/xezojutatow/heidZx7/pivoje.pdf
    • http://wasatosu.sportsontheweb.net/33649279890.pdf
    • https://cdn.sqhk.co/dugudumopup/TCidBii/dozukoloredojop.pdf
    • http://bujupete.iblogger.org/dell_optiplex_9020_i7_4790_review.pdf
    • https://cdn.sqhk.co/luwokiseg/GZibSjg/under_seat_storage_for_toyota_tundra_crewmax.pdf
    • http://lg-supportteam.com/ncert_maths_book_class_10_chapter_4_solutionshy63a.pdf
    • http://xupenirulavep.iblogger.org/lofinipiwowupak.pdf
    • http://kevifiregerufug.scienceontheweb.net/jbl_flip_5_review_youtube.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/049749a8-a592-4f50-9060-9ffb45d009d7/skyrim_best_order_for_main_quests.pdf
    • https://uploads.strikinglycdn.com/files/0e4d312a-ce81-4659-9e2a-4559e3b75c34/99823551605.pdf
    • http://rixuroruwe.myartsonline.com/pathophysiology_download.pdf
    • https://ae26bae5-b1f3-4fb2-a0ba-5d2f2d23988c.filesusr.com/ugd/aec2ea_2a291bf90af74fdb826eda3a57ee7fe8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/5fdc9dae-9219-438c-8265-613fae49113d/why_is_my_hp_photosmart_d110_printer_not_printing.pdf
    • https://1416a32c-f91c-4ec3-9c10-bfdf610c7df7.filesusr.com/ugd/76de1a_126a81dec2804c978d1a0c98cec71051.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d53bf9c3-69f1-4a18-8c45-699e8a73aa45/dell_optiplex_790_power_supply_diagnostic_button.pdf
    • https://uploads.strikinglycdn.com/files/3b43652d-5c48-46d4-bb00-c1991644a09f/how_much_should_a_miniature_dachshund_eat.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f659.bin
20e67428e7c9ff7e7e4921ac1b7c5cc25ced6bc130f5e60bd167cf3903e4ef0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF659 4840 bytes
font_01_sfnt_off000106de.bin
f46e299655ed6f1423a0b6cfb2adc4f2ff82a3d205726b0543aa80a741369d78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106DE 10760 bytes
font_02_sfnt_off00012bb5.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BB5 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.