Malicious PDF — malware analysis report

Static analysis result for SHA-256 e828594b78bfc7ff…

MALICIOUS

PDF

282.8 KB Created: 2021-05-28 13:32:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 6f5c553dd99c4f458dd9a4b69b7d654b SHA-1: 1cd98e3303496a8d1ebadb6b6447f2f6ff26465b SHA-256: e828594b78bfc7ff5a03c1d5bbc2bb29133511d639e4ba40b4b16955614b0800
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9538

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=grapplers+guide+3.+0 PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4405208/normal_600df7e4d4dbc.pdfIn PDF document text
    • https://judurufag.weebly.com/uploads/1/3/4/6/134688768/bejeku_wovibonupipojo_relulitevo_kekuguk.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393348/normal_60679ee477e37.pdfIn PDF document text
    • https://tuboxivodase.weebly.com/uploads/1/3/4/3/134387713/9068203.pdfIn PDF document text
    • https://static.s123-cdn-static-d.com/uploads/4426271/normal_60b00cd25ef69.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377924/normal_5fe932ade95a3.pdfIn PDF document text
    • https://sigegasolo.weebly.com/uploads/1/3/4/7/134732441/lawexi.pdfIn PDF document text
    • https://xizotikozuza.weebly.com/uploads/1/3/4/5/134587863/35437172bdf1c57.pdfIn PDF document text
    • https://fitulepam.weebly.com/uploads/1/3/0/8/130874207/bupebobosajuti_fijijedewu_naranelok_riniworawaze.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4488315/normal_603edafa1ad76.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/cb83ca40-15c2-4fde-b53d-44efca077f60/1130882175.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d1cf6afb-fba2-45d4-8a89-52c0f10f442c/stock_market_trading_in_india.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/75f4e779-a0e3-457a-b22f-19468618b542/is_dog_lucky_in_2020.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6117c891-a8a6-46af-b21b-f85a7bbd87a8/presto_cool_daddy_deep_fryer_05442.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b9f6c652-43de-49f5-adf2-18ed53b9874c/the_devil_wears_prada_watch_online_netflix.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c91c64d-be73-4122-b875-ddcbe9ce7999/55257192247.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f8543597-6b4b-492b-a858-88e0abdc3c81/95634506019.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/18e2b0a7-d04d-4cb2-9611-3a258f067714/89879462287.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9c018bac-3d00-45f2-8240-c6330bd5dc04/povaxefakovazumixupa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2b4c70a6-2a80-4213-9d01-7f97ae2dc803/44637825180.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8d2d6e18-7a35-45d3-8187-714c0459f237/starcraft_2_freezing_during_gameplay.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003fda3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3FDA3 5084 bytes
SHA-256: ded737b363b7b511bf2fa0b55638543813cf631966a5779e66e088da6b77f29c
font_01_sfnt_off00040efe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x40EFE 12288 bytes
SHA-256: 28df10f12334c824c44c2665e637442bde1c154cefb74decfd8faaa97cfeef26
font_02_sfnt_off000438ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x438ED 16204 bytes
SHA-256: 541fa2b6826b0add99b7d5a173ef1e6a5567607b5192f75b810eb17d6a563501
font_03_sfnt_off00044e1b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x44E1B 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361