Malicious PDF — malware analysis report

Static analysis result for SHA-256 f67f3f0168900ba0…

MALICIOUS

PDF

79.4 KB Created: 2021-04-09 22:43:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 852e86317edc3e4e0a891d7cfd306cbf SHA-1: 79b52fbb2dfdf41d7cb3cba8b4fa0055dd6cbc29 SHA-256: f67f3f0168900ba0b00ac66eba43698df0ce2c9e6c22aad8cd7d2c12efdeaf28
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URL that is presented as a search result, likely to trick the user into clicking it. No scripts were extracted, but the presence of an external URI and the phishing detection suggest a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=cn+rail+signal+maintainer+salary
    • https://cdn.sqhk.co/tolebilu/Aidgg1w/jeziwutomosaseget.pdf
    • https://cdn.sqhk.co/tumakakebi/dUciIXU/ninja_arashi_part_2_download.pdf
    • https://cdn-cms.f-static.net/uploads/4412592/normal_602948834b7d1.pdf
    • http://busotokebos.iblogger.org/xafurix.pdf
    • https://cdn.sqhk.co/kezixowog/QjMhcgc/superhero_quiz_for_kids.pdf
    • https://cdn-cms.f-static.net/uploads/4374002/normal_5fd158a2587c5.pdf
    • https://cdn-cms.f-static.net/uploads/4499656/normal_6067e04b90ced.pdf
    • https://cdn.sqhk.co/wepiwuvume/KfVjiIj/keledekotejikol.pdf
    • https://cdn.sqhk.co/wixexozesila/thc51jc/my_airtel_app_nigeria_download_android_latest_version.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/mokixetat/corporate_computer_security_4th_edition_free_download.pdf
    • http://gugamofizuxeg.epizy.com/hr_manager_interview_questions_and_answers.pdf
    • https://77bc4ea4-de20-41c0-a463-a5315db628d9.filesusr.com/ugd/2c69e3_1a08c8a6e26e439ba1e917c7847af79f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bcccd81b-1708-42e4-b3ef-a727e10caaec/32377195027.pdf
    • https://uploads.strikinglycdn.com/files/9ed25c84-f306-45f2-a08d-83b142f1ec6e/total_flow_equation.pdf
    • https://uploads.strikinglycdn.com/files/b8a0a985-fa12-4b55-b8c7-82a005d1d3f3/samsung_washing_machine_not_spinning_or_draining.pdf
    • https://s3.amazonaws.com/rumezo/what_organizations_will_pick_up_clothing_donations.pdf
    • https://s3.amazonaws.com/kefodek/agenda_setting_theory_of_mass_communication_ppt.pdf
    • https://010f2e21-25ca-4560-806d-08cbbb7c7db1.filesusr.com/ugd/74a852_9afeaa9b385d4185a865fda3a52387ad.pdf?index=true
    • http://nifekubipaxo.epizy.com/adobe_brand_guidelines_2020.pdf
    • https://uploads.strikinglycdn.com/files/0937a056-8fed-47c5-aed2-591c0d7a34df/what_is_human_error_in_healthcare.pdf
    • https://8ed7b8cb-9bae-4def-ad9b-66b28cd11f91.filesusr.com/ugd/740d8c_bbe390b2fa1e4e78abc4d84b928b5491.pdf?index=true
    • https://83d12552-0bc1-4415-b221-1da25caacb9b.filesusr.com/ugd/1e11d0_8b352f9909c344be9640f412b2fd9609.pdf?index=true
    • https://b00f38ea-0d13-4519-ab0f-1253f0d03ca0.filesusr.com/ugd/289c5e_b978ac37444b4a60a1d18398e0b0c31a.pdf?index=true
    • https://s3.amazonaws.com/pulavokaxe/matlab_wavelet_transform_toolbox.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f950.bin
1818db584fd5044d8f2e4b6eaf0a9329b715451cd81eb298bfb971f05ea1cd17		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF950 5012 bytes
font_01_sfnt_off00010a48.bin
00a80f9c1cc33da927b5b8bd77cb8de7f4d286d1247ddbcbd48bd6dc21a8b502		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A48 11028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.