Malicious PDF — malware analysis report

Static analysis result for SHA-256 de94739f28ff5e98…

MALICIOUS

PDF

29.9 KB Created: 2020-04-06 07:49:54 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6) First seen: 2020-09-24
MD5: de2b0c4869523696dcccbe995bc2ab62 SHA-1: 61103e394c752f116063afa581b33b7a037ed1b5 SHA-256: de94739f28ff5e981a46e2c7a1c0bffc54cdda8613d7d361c051309362c94a3e
76 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by an ML classifier with high confidence. It contains multiple embedded URLs pointing to external domains, suggesting a phishing or redirection attempt. The document body, though partially corrupted, contains text related to 'Imagenes de guerra espiritual gratis' and the authoring application 'wkhtmltopdf', which may be part of a lure. The primary attack pattern involves directing users to potentially malicious external content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://digitaldocmd.com/uploads/1/3/0/2/130271015/130271015.html#imagenes+de+guerra+espiritual+gratis PDF link annotation
    • http://globalwaronchristmas.com/uploads/1/3/0/4/130436137/226553.pdfIn PDF document text
    • http://vanderscleaningservices.com/uploads/1/3/0/9/130968915/sudujinavamafakevot.pdfIn PDF document text
    • http://chiroaustralia.com/uploads/1/3/0/4/130436137/f6a6d5bae0fb.pdfIn PDF document text
    • http://reddeermassages.ca/uploads/1/3/0/6/130621505/vonimifumisemobamub.pdfIn PDF document text
    • http://yourfitnesscoaching.com/uploads/1/3/0/4/130483200/pexadare_jojezuw_lelila.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c24.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4C24 7976 bytes
SHA-256: 17334037356ea9b5b0d8e0a15a10d0c8a041e1952500903fa57db103f31ff997