Malicious PDF — malware analysis report

Static analysis result for SHA-256 decb0de58563bcc6…

MALICIOUS

PDF

72.6 KB Created: 2021-06-14 05:07:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 408f225c67fbb899ac62e9829a1b96dd SHA-1: dbb217503afda31fed48fc60684176946884f38a SHA-256: decb0de58563bcc6f0b21c48bee67414679d25ecab5176d3d365979168f7765d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a site offering 'comprehension worksheets for class 8', a common lure for phishing attacks. The file's metadata indicates it was generated by wkhtmltopdf, which can be used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/pbw?utm_term=comprehension+worksheets+for+class+8
    • https://static.s123-cdn-static-d.com/uploads/4366381/normal_60b2a57034a55.pdf
    • https://static.s123-cdn-static.com/uploads/4408718/normal_5fefcaa86c181.pdf
    • https://jakilirimilibev.weebly.com/uploads/1/3/4/8/134862861/7100569.pdf
    • https://cdn-cms.f-static.net/uploads/4378410/normal_6066178686209.pdf
    • https://birirewenojitu.weebly.com/uploads/1/3/0/8/130813362/zojevolifaretenutube.pdf
    • https://cdn-cms.f-static.net/uploads/4412758/normal_603cac714240a.pdf
    • https://cdn-cms.f-static.net/uploads/4420911/normal_601c97ad2a96c.pdf
    • https://cdn-cms.f-static.net/uploads/4389816/normal_603acc25b2c88.pdf
    • https://cdn-cms.f-static.net/uploads/4373240/normal_60c2c32cc0d7f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://jezopisi.pbworks.com/w/file/fetch/145174104/minecraft_continuum_shader_download.pdf
    • https://uploads.strikinglycdn.com/files/65362c5b-43b8-415a-a9da-54a6c20a5c82/verbos_en_ingles_en_pasado_participio_regulares_e_irregulares.pdf
    • https://uploads.strikinglycdn.com/files/36f66e58-6a65-4c19-8c5a-f4f07a886a02/software_development_life_cycle_stages.pdf
    • http://wotasaful.pbworks.com/f/maslach_burnout_inventory_manual_4th_edition.pdf
    • http://figuduvimeti.pbworks.com/f/mutirinaxotegavadakasavi.pdf
    • https://uploads.strikinglycdn.com/files/d50ba943-ca4e-41a2-899c-98026f272201/hp_designjet_500_42_inch_trailing_cable.pdf
    • http://ziduzobif.pbworks.com/w/file/fetch/144440538/django_bootstrap_modal_forms_master.pdf
    • https://uploads.strikinglycdn.com/files/816a2d40-43fe-4db0-a3c5-c4f67945ea07/zudoxiwij.pdf
    • http://tikomegeto.pbworks.com/f/pelokurotipit.pdf
    • http://saxonax.pbworks.com/w/file/fetch/144707946/tafawixinowojogafadubomu.pdf
    • https://uploads.strikinglycdn.com/files/417caefe-141e-4cd8-b8f7-410f4cd82c5b/7093277279.pdf
    • http://nusometa.pbworks.com/w/file/fetch/144740958/download_mp3_full_al_quran_30_juz_-_imam_abdurrahman_as-sudais.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ddc5.bin
00da6fd5ec47efaa0db27fddd0e478326d63ffed654126cf557b0399288080c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDC5 5508 bytes
font_01_sfnt_off0000f067.bin
d951fae57413b9686e9f3c3e0efc04ddd7470c79c3a499b09d2ba585849c51a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF067 10996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.