Malicious PDF — malware analysis report

Static analysis result for SHA-256 f76034e0c1942b8d…

MALICIOUS

PDF

79.4 KB Created: 2021-05-16 00:17:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75de7a9c18e46528a3f55d13a2166cb2 SHA-1: 2308106ba45c1706ade727b44b8bfb392e8bb151 SHA-256: f76034e0c1942b8d77e3c425b1fa7e9be3dc43d1b349b134299908c3cff0df80
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded link to a suspicious domain, 'privateguardingserviceagainstdanger.site', which is flagged by heuristics as a random URL link and by ML classifiers as malicious. The document body, though heavily obfuscated, appears to contain metadata related to 'wkhtmltopdf' and a date, suggesting it might be a lure for technical information or a product. The presence of multiple suspicious URLs and a high ML score indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=whirlpool+ultimate+care+ii+lid+switch+part+number
    • http://privateguardingserviceagainstdanger.site/10897108194tvh4j.pdf
    • http://retys.fun/solidworks_student_free_trial4r2jf.pdf
    • http://thrivewebs.com/hex_head_screw_dimensionsntk29.pdf
    • http://chtotakoebezuz.biz/4914546683mr4m8.pdf
    • https://cdn-cms.f-static.net/uploads/4459914/normal_6044257c6779a.pdf
    • http://ezfix.asia/bumizevanivezesenuwebanv79eo.pdf
    • https://cdn-cms.f-static.net/uploads/4500668/normal_605dccbd5e413.pdf
    • https://static.s123-cdn-static.com/uploads/4391620/normal_5fff395f5d0af.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/88d11554-40fe-48e5-b35e-f944eb992952/vatazakoxum.pdf
    • https://uploads.strikinglycdn.com/files/64ec194c-5b82-47e0-8ab7-fa5e608ab45a/computer_system_validation_fda_warning_letters.pdf
    • https://uploads.strikinglycdn.com/files/b5097ca4-b7c6-46f7-a18a-166fe72773b6/86979660018.pdf
    • https://s3.amazonaws.com/lixuzo/indiana_dunes_map.pdf
    • https://689a2394-1721-4ce0-b6f7-af9f1dc0d621.filesusr.com/ugd/0f5b72_2b32b722cb084f2bb2c76851232cacb8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b9879a87-135f-46ec-939e-425ed58e317d/take_the_word_of_god_with_you.pdf
    • https://8c1dc56a-a131-4b43-acff-3635b9115217.filesusr.com/ugd/90423f_2743e756321043b5a3f720fbdaca06e7.pdf?index=true
    • https://s3.amazonaws.com/rizezobabub/51989438609.pdf
    • https://ba3a7bb5-edd2-4228-b29c-cf272df6a868.filesusr.com/ugd/bd1c09_be3d6e8b662e4bdbb45bb457e1703cd8.pdf?index=true
    • https://26c1613e-5d28-4fa3-89cb-3d2c9ab59faf.filesusr.com/ugd/fe83c3_ed75dcfb88ef44fe9dfb8068172906ea.pdf?index=true
    • https://15319a82-8c66-4906-b3c2-464277991f2b.filesusr.com/ugd/070acf_8c83575d8f194aa9835e154862558eb0.pdf?index=true
    • https://s3.amazonaws.com/lorerexeg/hillsborough_county_high_school_baseball_schedule.pdf
    • https://3c3a732a-bc26-4be5-bc29-345d3dbc3408.filesusr.com/ugd/63a963_32315d0bd1ae456fad8f91fa63dc9990.pdf?index=true
    • https://ef90beaa-bca2-431e-862c-49c19dd94618.filesusr.com/ugd/06497e_6fa02f5c77964b8baef1520c8f0d921c.pdf?index=true
    • https://d78d2789-9aef-4bfd-88be-9093bec910ef.filesusr.com/ugd/87a178_6fdbb2fa62bd4d599f11920876593996.pdf?index=true
    • https://98be45bc-63b9-4117-aff7-84a3d4f2c4a0.filesusr.com/ugd/90c678_7073d47b883e444bb5816278d1f52667.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f343.bin
edc0b68af5f56209ddaa53b2ace15995ff12e9466404b8f1209114c8c0e22ba8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF343 5556 bytes
font_01_sfnt_off00010602.bin
7ea8f2ce4408a7f1eeb21125aa3be86aba719c0bd9553fea867fcfb9fd12191a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10602 11632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.