Malicious PDF — malware analysis report

Static analysis result for SHA-256 e75a5853990d7603…

MALICIOUS

PDF

79.8 KB Created: 2021-03-18 10:55:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-17
MD5: 5a09d6d8ab10a2c8d6b9e9bc5e2329af SHA-1: d51a80c6f9cc7448b3b611f7885fc06e5392d8bd SHA-256: e75a5853990d7603c5a5c3c58570aec9be00e4ea69ba637a726c0619291395cd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a ML classifier and ClamAV, indicating a high likelihood of malicious intent. The embedded URL 'https://dugedepap.ru/wix?keyword=what+is+transduction+in+the+eye' and another unknown URL 'http://liketime.online/nemivebowukiwuse7gpmb.pdf' suggest the document is used to redirect users to potentially harmful sites. The document body, though heavily obfuscated, contains metadata related to 'wkhtmltopdf', suggesting it might be a generated document used for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/wix?keyword=what+is+transduction+in+the+eye PDF link annotation
    • http://liketime.online/nemivebowukiwuse7gpmb.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4405197/normal_6002ae7053e2e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4464523/normal_6017426fcc8c6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4492272/normal_5fd2dbfbf260a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4488139/normal_6052bd8e6dcea.pdfIn PDF document text
    • http://insurancesouk.com/13339560984okteb.pdfIn PDF document text
    • http://grampus-shop.com/pikigbpgae.pdfIn PDF document text
    • http://bandalet.club/music_notes_treble_clef_worksheetweqlk.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4413848/normal_5fe44653b90db.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4367301/normal_5ff9aa523592c.pdfIn PDF document text
    • http://digitaltoolsfor.xyz/relion_blood_pressure_cuff_accuracyywla6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/pokixovuxik/gta_3_hidden_packages_guide.pdfIn PDF document text
    • https://s3.amazonaws.com/vavapekadoliti/tesla_model_3_2021_price_drop_uk.pdfIn PDF document text
    • https://s3.amazonaws.com/jevopemosod/how_to_factory_reset_my_motorola_android_phone.pdfIn PDF document text
    • https://8f6f9f04-f977-4239-955d-f6aecf2dd879.filesusr.com/ugd/81cd61_eee1b6af626645bab770425e190a8439.pdf?index=trueIn PDF document text
    • https://c36efdde-2309-4ce2-a10d-b6df2ce12cd8.filesusr.com/ugd/e98059_d7507d33d6d94851ab2b850b8472aa6e.pdf?index=trueIn PDF document text
    • https://80c93ba6-74df-4afb-9852-3a83eaba20e3.filesusr.com/ugd/4cf28d_5029e8d46cc7418ba160487fb49dac5a.pdf?index=trueIn PDF document text
    • https://044ec7df-721b-4788-b209-87474a3fcb06.filesusr.com/ugd/60ffa2_c700f790a4e84ef1a8102a49296abae9.pdf?index=trueIn PDF document text
    • https://acfc0e76-311d-46af-9c13-f46c112eb424.filesusr.com/ugd/f90bad_94e4d23b82654cb5bb76dc0893d93fa2.pdf?index=trueIn PDF document text
    • https://45f61934-b4a1-4335-a9e3-e142d9465b5b.filesusr.com/ugd/0dd040_3e645cb203a24bd1bdf504bec013fd60.pdf?index=trueIn PDF document text
    • https://ec8c99fd-5413-4e38-b6a0-2ccbba71fc6f.filesusr.com/ugd/de02f3_ade14e73c90e4a3a8bf6b4912504526b.pdf?index=trueIn PDF document text
    • https://27158da8-170d-48ca-a528-b8ced62fe517.filesusr.com/ugd/9fc8c3_9854d0a147fc430a9b38d0fbae905851.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/mefovu/97061075285.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eda1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEDA1 4992 bytes
SHA-256: 72abc78cf2153455d1b135179686cddcdf9a7cc81a530045fb94dbb4cf7fb2cd
font_01_sfnt_off0000fe92.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE92 10860 bytes
SHA-256: 716334df059684fc50186acf45bc2c03bb1e7e318c1b726895fe7c0f47a2a8d4
font_02_sfnt_off000123b5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x123B5 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361