Malicious PDF — malware analysis report

Static analysis result for SHA-256 df92008fdce51da3…

MALICIOUS

PDF

146.9 KB Created: 2021-03-05 18:48:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-04
MD5: 3d3acc86b3ad52f45ddc48ff35490ad0 SHA-1: 0e4ee62ca79326b634f4c5ce0136ea684fa236a7 SHA-256: df92008fdce51da3268b769b7551608ec3d85bc7c59921145a116c04526daac2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a phishing site. The presence of external URIs and the overall detection profile suggest a phishing attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8558

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=%25D8%25A7%25D8%25B0%25D8%25A7%25D9%2586+%25D8%25A7%25D9%2584%25D9%2581%25D8%25AC%25D8%25B1+%25D8%25AF%25D9%2586%25D9%2581%25D8%25B1 PDF link annotation
    • https://cdn.sqhk.co/zuvibabezel/pSjadX9/wuginu.pdfIn PDF document text
    • http://help-violation.com/gokirobisafoxobvk9kj.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4465259/normal_5fcdff0669d0c.pdfIn PDF document text
    • http://differencecheats.net/printable_crossword_puzzles_with_answersgx3ug.pdfIn PDF document text
    • https://vemenujobife.weebly.com/uploads/1/3/5/3/135399872/gopizexevima.pdfIn PDF document text
    • https://cdn.sqhk.co/bisuligiga/jg9jhic/95499496193.pdfIn PDF document text
    • https://davixugamewa.weebly.com/uploads/1/3/5/3/135334906/a755c1c98cd4.pdfIn PDF document text
    • https://cdn.sqhk.co/rapovixovuti/jixiehj/zesekoluxosewezije.pdfIn PDF document text
    • http://dwatches.site/pcb_light_ballast_disposal1hixp.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4480899/normal_5fc9122b3d396.pdfIn PDF document text
    • http://alexandreablog.com/detenanuxepopenuvagoj2j4nn.pdfIn PDF document text
    • https://zokupirijega.weebly.com/uploads/1/3/4/0/134000213/4731657.pdfIn PDF document text
    • https://lukawonudos.weebly.com/uploads/1/3/5/3/135320707/2971503.pdfIn PDF document text
    • https://fabisinutufonos.weebly.com/uploads/1/3/5/9/135993578/85fb11b9e.pdfIn PDF document text
    • https://cdn.sqhk.co/loboremetoxe/dhju3vr/puzzle_star_bt21_mod_apk_download.pdfIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • https://s3.amazonaws.com/tutapaxi/free_printable_geography_worksheets_for_3rd_grade.pdfIn PDF document text
    • https://s3.amazonaws.com/pisik/bernina_830_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/wakuzidi/16623523385.pdfIn PDF document text
    • https://s3.amazonaws.com/wunupalezozerud/like_app_uptodown._com.pdfIn PDF document text
    • https://s3.amazonaws.com/paxunu/jomuwevafive.pdfIn PDF document text
    • https://s3.amazonaws.com/temujonuwu/ruxifegeterozolu.pdfIn PDF document text
    • https://s3.amazonaws.com/kubedukowug/52377176319.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00016b66.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16B66 3048 bytes
SHA-256: cc3c2dc6b38a3bea38f49e503c843201ae919cc8d30e2fde4fdad3ce60da7004
stream_014_off0001ed31.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1ED31 33016 bytes
SHA-256: ef1840e06666bafe2e6fdf02c25116818082cd27f50015b10ff62cefd746d333
font_00_sfnt_off00011f56.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F56 7720 bytes
SHA-256: 39b0d0c1cbbdc42127513375c3d289933311f481785305f27d18270d5a14c509
font_01_sfnt_off00013320.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13320 3876 bytes
SHA-256: 4f5379de65354a3edbb8ecb575e2431b740214923f624da787cdae36c432f7de
font_02_sfnt_off000140f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x140F7 4068 bytes
SHA-256: 825d245a28f7bed6fbdbade82728acf9a8036f91ec8daaf7884700253fd46385
font_03_sfnt_off00014ed1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14ED1 2852 bytes
SHA-256: e155ebc04a275e28ca18ecfe4ed1ed6652ec170dd2815a91a660c79ddd8d17ce
font_04_sfnt_off00015aa8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15AA8 5316 bytes
SHA-256: 56cfcd3cf59e80a62a3d2e0d1bac4784a941c84a2b25f154939f646c7b58347e
font_06_sfnt_off00017769.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17769 2736 bytes
SHA-256: b1acd47cb61190faea4aca5977141069452900fa24d55d6b31c9b63d487f6e66
font_07_sfnt_off000182fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x182FA 2296 bytes
SHA-256: 7e1ce347a2758fcb03f7d4295afa04d869ba35c064d65260c4d2e77e5abbd552
font_08_sfnt_off00018da7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18DA7 1956 bytes
SHA-256: a707f4be5f4d36e944ed84c55dfd9363fdfaeb4f565d46455ba12af2359ab268
font_09_sfnt_off000196f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x196F1 6336 bytes
SHA-256: 91c0d5d78cce219754aa8f112eded5a121b4867266ad628a59f2a641f6dbb34e
font_10_sfnt_off0001a78e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A78E 14452 bytes
SHA-256: c0e9079aa5675b1d76b2510a7ce69ae8f2b8ffb9b1fc2d8fb3ac7d14b3eb9181
font_11_sfnt_off0001d4f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D4F7 16940 bytes
SHA-256: 8963c9d6013e710140b2fe4090a379486ecf13e05adbe0f16dc51c687f6ab4b7
font_13_sfnt_off000229cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x229CB 3256 bytes
SHA-256: 724c61da0300f5aa90253ed49b166a412c0cb91789ba91e1da8b6b1eb2328bf6