Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7cbf571a45a3d35…

MALICIOUS

PDF

77.4 KB Created: 2021-02-21 07:17:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 633c3fb2b9d531e4134498f7f4935306 SHA-1: 975710e4e9da0d3008f8428f0ce9d57dde5b6343 SHA-256: f7cbf571a45a3d35f80755b09f5717f86213bb7d4658115b8172d540fc119582
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that masquerades as a "Patton oil heater manual" to trick users into clicking it. The PDF also contains embedded JavaScript, likely used to facilitate the redirection to the malicious URL or to further obfuscate the malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/wix?keyword=patton+oil+heater+manual
    • https://cdn.sqhk.co/wexufenu/gRhijGw/50627386535.pdf
    • http://gufutaca5.xyz/begunoxowewirenivuxitisohquoj.pdf
    • https://cdn.sqhk.co/zewapoxi/gjHhjjj/bowling_alley_west_springfield_ma.pdf
    • https://cdn-cms.f-static.net/uploads/4407070/normal_6013593d01258.pdf
    • https://cdn-cms.f-static.net/uploads/4405895/normal_602622d8447e5.pdf
    • https://cdn.sqhk.co/sururezog/hcheGje/wingstop_menu_flavors_hottest_to_sweetest.pdf
    • https://cdn.sqhk.co/kerametunal/ehgggeH/pop_rock_artists_2000s.pdf
    • http://im-marceting.site/sulazudon0u4r5.pdf
    • https://cdn.sqhk.co/wobuwozavenu/5Jgf0z7/valiant_tales_puzzle_rpg_reroll.pdf
    • https://cdn.sqhk.co/modonasuje/ihmFk1F/guardian_tales_wiki_tier_list.pdf
    • http://setlyb.online/143236735397juq7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f265.bin
c6ee5812b7cd50ac16828a9e2610654c76dc155fb2b7a79d4d590dd0690352a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF265 4748 bytes
font_01_sfnt_off00010257.bin
e69bd9af6c1fe483cf4275e758604e805e6a778b627330e2990b7c2959bce6ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10257 11340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.