Malicious PDF — malware analysis report

Static analysis result for SHA-256 e694265461c8c941…

MALICIOUS

PDF

107.3 KB Created: 2021-03-21 08:53:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-07-02
MD5: c30d74f8b040d9377a00a95a576b7c49 SHA-1: 8d8783bff780d4300a0cad8f1cce55cfbe739244 SHA-256: e694265461c8c94182dc5602c2507bc4d845d1cc8556147b6e74827a8f96ee3c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. Although no scripts were explicitly extracted, the presence of embedded URLs and the nature of the detection suggest a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9906

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=graystripe+warriors+cat PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4494677/normal_6040540781bd7.pdfIn PDF document text
    • https://cdn.sqhk.co/xorilulog/jaI4ygj/60202879240.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4416927/normal_600af692918b4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4464065/normal_6004f17ac4704.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4495058/normal_5fce2b516a782.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4405208/normal_5fcd367aa2a44.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4380527/normal_5fc6a3d079cf7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468827/normal_6016494245314.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369777/normal_604e18af4c3a2.pdfIn PDF document text
    • https://cdn.sqhk.co/zevijevam/gibgfb7/servpro_mold_removal_reviews.pdfIn PDF document text
    • http://kowojolajamuv.getenjoyment.net/colostomy_bag_care.pdfIn PDF document text
    • https://cdn.sqhk.co/matezafun/sgj97ha/44900633240.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4402712/normal_603323c8af9f4.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379500/normal_5fe6b1194265b.pdfIn PDF document text
    • https://cdn.sqhk.co/jemajujo/Ahjjdh0/zakukolagoloradudu.pdfIn PDF document text
    • https://cdn.sqhk.co/nowovadizeb/gcChhiv/bounce_jumper_edm_rush_download.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/nufidibodudulad/the_love_dare_for_parents_list_1-40.pdfIn PDF document text
    • https://s3.amazonaws.com/musoxifuvitalo/45126767159.pdfIn PDF document text
    • https://s3.amazonaws.com/damerirazib/lorutene.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/66f4ba37-8118-42ea-aeda-201b0b1b5a35/49188552715.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2dc1e4b5-7148-4910-80f4-4f2fadd04a07/what_is_a_good_score_on_gre_verbal_reasoning.pdfIn PDF document text
    • http://gakajitaju.atwebpages.com/autocad_beginner_exercises.pdfIn PDF document text
    • https://s3.amazonaws.com/gadumagabusodel/kali_linux_tutorial_videos.pdfIn PDF document text
    • https://s3.amazonaws.com/pezofut/radial_tunnel_syndrome_exercises.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f239.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF239 12280 bytes
SHA-256: f9f6c8e99cc34e270606611bc62772cea708a119514a08edf1dd741febbe2cea
font_01_sfnt_off00011472.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11472 3712 bytes
SHA-256: d68110371f4ce7be2d2bbe126fccbc39da2388cfd20ffc0226db6f385d5fa651
font_02_sfnt_off0001216f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1216F 5120 bytes
SHA-256: e274bf570abea0a78a3b392a6332f7c554293c60dd6355b0f03938679529a398
font_03_sfnt_off00013302.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13302 9016 bytes
SHA-256: 1cb255340e24d02399a93b85dd1c54edcd9ede3f1d4c66693f6b52c798ee5e85
font_04_sfnt_off00014536.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14536 10976 bytes
SHA-256: 38329fa7169314ab79f77c533ab6ff1dbcf85fb9959dd3eba70d6469d34514ae
font_05_sfnt_off00016b07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16B07 17256 bytes
SHA-256: 8e6c798e670d5aba180d08b0a3194fd67785bc59c41e256bc001c18d0d9128e6
font_06_sfnt_off000184b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x184B8 16636 bytes
SHA-256: 4367bd6fe833055e3d82ecef774c1a41985bbe47645e04d32a7d4e6a01ed96f0