Malicious PDF — malware analysis report

Static analysis result for SHA-256 e314bca4437de54d…

MALICIOUS

PDF

77.1 KB Created: 2021-06-06 01:55:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d3439980291e3abf23780e58adafa8b0 SHA-1: 52566d2969987ea81a157ee2b2ac7f43d3f447ce SHA-256: e314bca4437de54d0547967747a48926f4a8715e74fb509be8afe08c27429899
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that, when visited, appears to be a lure related to a Pokemon game. The document body, though heavily obfuscated, contains strings that may relate to the URL's content. No scripts were extracted, but the presence of an external URI and the overall detection suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/pbw?utm_term=is+pokemon+blazed+glazed+complete
    • https://cdn-cms.f-static.net/uploads/4481400/normal_6009bc4c18345.pdf
    • https://cdn-cms.f-static.net/uploads/4494138/normal_601c797e2f49a.pdf
    • https://static.s123-cdn-static.com/uploads/4369916/normal_5fe0d0206acd2.pdf
    • https://cdn-cms.f-static.net/uploads/4496826/normal_5fd68b7cde0e4.pdf
    • https://cdn-cms.f-static.net/uploads/4419626/normal_6042a8327832d.pdf
    • https://cdn-cms.f-static.net/uploads/4376852/normal_600eb9a060dfd.pdf
    • https://cdn-cms.f-static.net/uploads/4393638/normal_606ea23b167f3.pdf
    • https://cdn-cms.f-static.net/uploads/4393900/normal_6052f6b5b354b.pdf
    • https://cdn-cms.f-static.net/uploads/4369909/normal_604f0e0ba3866.pdf
    • https://static.s123-cdn-static.com/uploads/4493578/normal_5fc60775d2bdc.pdf
    • https://cdn-cms.f-static.net/uploads/4419623/normal_6050d6086c988.pdf
    • https://cdn-cms.f-static.net/uploads/4473640/normal_603025d840d84.pdf
    • https://static.s123-cdn-static.com/uploads/4481061/normal_6005a64236475.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://vawijoj.pbworks.com/f/free_printable_shooting_targets_8.5_x_11.pdf
    • http://barotidi.pbworks.com/w/file/fetch/144625845/fobitugolewumovuzupeze.pdf
    • http://sisagexal.pbworks.com/w/file/fetch/144560739/shark_vacuum_lift_away_deluxe_filters.pdf
    • http://lokiboz.pbworks.com/f/gujaf.pdf
    • https://uploads.strikinglycdn.com/files/eec3eee3-73b3-46f7-affe-d67808af487a/56402315363.pdf
    • https://uploads.strikinglycdn.com/files/3fc166be-efc5-4941-94e2-31143434baf4/52709379074.pdf
    • http://lomexalipele.pbworks.com/w/file/fetch/144500796/do_i_have_a_warrant_in_san_diego_county.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2f8.bin
2b45e4b10212f32708a694c9e9c90e953fab8f4d3dab82b4528bae2933f6cb70		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2F8 5228 bytes
font_01_sfnt_off0000f4ad.bin
d6cd45798e121be013b08589a554c262324a84517732f706aa1faa4375659ccb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4AD 10580 bytes
font_02_sfnt_off000118b3.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118B3 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.