Malicious PDF — malware analysis report

Static analysis result for SHA-256 df33763ece4a778d…

MALICIOUS

PDF

107.6 KB Created: 2021-05-31 21:13:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f5d6a3d9d45e63bc121ac8ae832e656e SHA-1: b9e61ae95ee65004b5688de888fbddcc95e0516c SHA-256: df33763ece4a778d5df55c6d3137ce6cd52e068ed5a86c3249eee90ab0bec78b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a lure related to wealth, directing the user to an external URL. The ML classifier and ClamAV detection strongly indicate malicious intent, likely phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/pbw?utm_term=who+is+the+richest+person+on+earth+now
    • https://cdn-cms.f-static.net/uploads/4391308/normal_6032e146900d8.pdf
    • https://cdn-cms.f-static.net/uploads/4422638/normal_602456236e0ee.pdf
    • https://cdn-cms.f-static.net/uploads/4458628/normal_60465b2f38469.pdf
    • https://static.s123-cdn-static.com/uploads/4457318/normal_5fc69cda6a462.pdf
    • https://cdn-cms.f-static.net/uploads/4370309/normal_601bb51025d25.pdf
    • https://cdn-cms.f-static.net/uploads/4408997/normal_605903e354c6d.pdf
    • https://static.s123-cdn-static.com/uploads/4408321/normal_5fe2c35ad5f85.pdf
    • https://static.s123-cdn-static.com/uploads/4382770/normal_6006eb1da2e02.pdf
    • https://cdn-cms.f-static.net/uploads/4465707/normal_5fdb008e96da5.pdf
    • https://cdn-cms.f-static.net/uploads/4412181/normal_602fe05fd4b8b.pdf
    • https://cdn-cms.f-static.net/uploads/4455180/normal_601d4fd699ad0.pdf
    • https://cdn-cms.f-static.net/uploads/4405440/normal_60624680e88ac.pdf
    • https://static.s123-cdn-static.com/uploads/4469631/normal_5fe2aa4e2d2c0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lekuzax.pbworks.com/w/file/fetch/144418065/57707349652.pdf
    • https://uploads.strikinglycdn.com/files/0b6ac7dc-cb7a-49c6-8963-0eb6f3e3d10b/gusimumubeponujowekirunoj.pdf
    • https://uploads.strikinglycdn.com/files/3ddeaea5-1764-43c2-a239-b72975988feb/spyder_xtra_custom.pdf
    • http://zopujoxobug.pbworks.com/w/file/fetch/144411441/how_to_write_a_break_even_analysis.pdf
    • http://mefijunov.pbworks.com/w/file/fetch/144419436/35090846562.pdf
    • http://sewafebi.pbworks.com/w/file/fetch/144423789/integrated_chinese_workbook_answers_4th_edition.pdf
    • http://zufumegi.pbworks.com/w/file/fetch/144423225/what_are_gradable_and_non_gradable_adjectives.pdf
    • http://mefijunov.pbworks.com/w/file/fetch/144421194/mpk_mini_editor_download_mac.pdf
    • http://nusuwoxub.pbworks.com/w/file/fetch/144413517/to_kill_a_mockingbird_vocabulary_chapter_24-25.pdf
    • https://uploads.strikinglycdn.com/files/b20243d3-ea8a-49dd-9714-7f1894b2fe5b/what_number_commandment_is_thou_shalt_not_kill.pdf
    • https://uploads.strikinglycdn.com/files/8db42681-243f-4653-8177-c1e0e7822fd1/spektrum_dx6_receiver_compatibility.pdf
    • http://tisowowuduwe.pbworks.com/f/90952050827.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000165f4.bin
bef4cfe12cdbcd6e43bd60ce1f9ab34777e53c19083b239c50e5445e3fa365c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x165F4 5092 bytes
font_01_sfnt_off00017757.bin
dcf53418306a19866d88a898d6c7556bbeb3e759eb6bb4b17523d7e3022fd76b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17757 12636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.