Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd73169ccc4783fd…

MALICIOUS

PDF

82.3 KB Created: 2021-05-31 18:54:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: caa78d5f8a243a245ed6d4bfba62cbaf SHA-1: e9e0eebb9cede2c7944b3b435fe3ae2015f158d5 SHA-256: dd73169ccc4783fd730534da1f49dd7a9daa54cda34e4b549913433f889607c1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, which identified it as a phishing trojan. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and a URL related to 'minecraft xp farm', suggesting a lure. The embedded URL 'https://queure.ru/pbw?utm_term=minecraft+xp+farm+2020+survival' is the primary indicator of malicious intent, likely leading to a phishing or malware download site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/pbw?utm_term=minecraft+xp+farm+2020+survival
    • https://static.s123-cdn-static.com/uploads/4457854/normal_5ff212833e647.pdf
    • https://static.s123-cdn-static.com/uploads/4446273/normal_5fdd24781d972.pdf
    • https://cdn-cms.f-static.net/uploads/4468819/normal_602ab36e9a0e6.pdf
    • https://cdn-cms.f-static.net/uploads/4494681/normal_600bfc32e0233.pdf
    • https://cdn-cms.f-static.net/uploads/4421366/normal_600ed5ddc8fbd.pdf
    • https://static.s123-cdn-static.com/uploads/4410985/normal_5ff1afee8db8a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a1593b54-5092-4002-95cd-771dfbd928f0/26306611780.pdf
    • https://uploads.strikinglycdn.com/files/8ed03ebc-0001-4633-ae35-176738a4d0aa/46987073716.pdf
    • http://nusuwoxub.pbworks.com/w/file/fetch/144414738/velocity_time_graph_worksheet_answers.pdf
    • https://uploads.strikinglycdn.com/files/6df791a9-e9a1-4df4-bded-2c358bd6fcf6/how_to_write_a_performance_review_of_your_manager.pdf
    • https://uploads.strikinglycdn.com/files/8d4a8491-e3a6-4856-9da6-f2f44fce504a/how_many_questions_are_there_in_the_book_of_job.pdf
    • https://uploads.strikinglycdn.com/files/774e0989-d269-4e7d-9ec5-c3a7b60ed802/28315903245.pdf
    • https://uploads.strikinglycdn.com/files/ea0cba1f-b30e-4a9d-8363-9131cd8b4bfa/run_on_sentences_worksheet_2_answers.pdf
    • https://uploads.strikinglycdn.com/files/47c8af44-5fea-4b2d-a53a-adf23265fcc6/howard_miller_grandfather_clock_weight_placement.pdf
    • https://uploads.strikinglycdn.com/files/84c7defc-bbc3-4d51-b0cc-3c6edb2c2e90/english_book_for_kid_free_download.pdf
    • https://uploads.strikinglycdn.com/files/919bf614-049c-435d-876f-66afe9e0008f/california_association_of_realtors_month_to_month_lease_agreement_2020.pdf
    • https://uploads.strikinglycdn.com/files/95e8adfc-d2b8-40c8-ae65-cd8fe211ab1f/66475412394.pdf
    • https://uploads.strikinglycdn.com/files/2fded2d6-c1c7-439f-8029-c94f1436d070/dispatches_michael_herr.pdf
    • http://kekirow.pbworks.com/w/file/fetch/144419583/fekakexurepubawuga.pdf
    • https://uploads.strikinglycdn.com/files/876fe586-8845-4d9a-b8ab-3f5b8756dd8f/command_and_conquer_generals_zero_hour_online_patch.pdf
    • https://uploads.strikinglycdn.com/files/8493c9d1-ca9d-49b7-a6af-6678a19d1b0d/apple_ipod_nano_6th_generation_amazon.pdf
    • https://uploads.strikinglycdn.com/files/c2176aa4-12c1-4274-a586-77fd481626db/famekusajodaremel.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f871.bin
cd58b4cb99bbfd55ae42bf7dfaaf8cb36cf5eb34c3c4e2ea9eaa04abf5ade9f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF871 2988 bytes
font_01_sfnt_off0001031e.bin
31dbb4dfffe29a2276a1548898b36ad734690a6c7842b74bdc983c32f7c653df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1031E 5568 bytes
font_02_sfnt_off0001160f.bin
7845044732ce7403239e2709239412ec117485e95da69722b97e1204fc0ff26e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1160F 10848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.