Malicious PDF — malware analysis report

Static analysis result for SHA-256 00f8fb376bd0d02c…

MALICIOUS

PDF

94.9 KB Created: 2021-04-07 02:05:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8174f07052856aae2d0f5a21f56bfefc SHA-1: 926f517b47fdd12bb795f86de20355bb43b71f68 SHA-256: 00f8fb376bd0d02cd049dca46039b521306760825ac10d8266205c923e1a1b1d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan payload. It contains an external URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to exploit users through deceptive content, aligning with spearphishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9914

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=how+much+for+eyelash+extensions+near+me
    • http://mastericy-chistoty.ru/how_to_date_someone_with_a_girlfriendxxcjt.pdf
    • http://matroskin.space/manual_geladeira_brastemp_ative_429_litros623kd.pdf
    • https://cdn.sqhk.co/natokaze/Yctjia1/how_do_i_unlock_my_usaa_card.pdf
    • http://bettyloustintruckbbq.com/where_to_watch_a_christmas_carol_1984dgyev.pdf
    • http://eslivdrug.space/what_size_file_for_poulan_18_chainsawgqfzo.pdf
    • http://ubsvp.com/35692278386b3yc9.pdf
    • http://dsv-trening.ru/lagakodnq96.pdf
    • http://webcam-model.online/is_the_smith_and_wesson_380_bodyguard_a_good_gunj56jg.pdf
    • https://cdn.sqhk.co/zurefaxenov/j3Vgxjd/kiviziniluxupeki.pdf
    • https://cdn.sqhk.co/sipebesoxu/gjpcJjg/tozogivubimafoduvoge.pdf
    • https://cdn.sqhk.co/sutadejuna/hbVlibs/how_to_get_ringtones_for_iphone_7.pdf
    • http://babbieshop.ru/us_marine_corps_training_schedulekxyw0.pdf
    • http://dombitarf.ru/31517570351uh9np.pdf
    • http://hydrofthol.space/20909660577e7juq.pdf
    • http://kamini33.ru/jejiwopawunojikifo1c3y.pdf
    • http://hytri.com/lesiritevewamemunamakixacqqj.pdf
    • http://kebotup.66ghz.com/64813046739.pdf
    • http://sparzha.club/how_to_be_cultural_competencec1max.pdf
    • http://thedefenseforge.com/ti_nspire_cx_ii_softwarevzjwm.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://fufabufitilaf.epizy.com/gifenutekel.pdf
    • http://vopimivukaf.epizy.com/food_brochure_templates_online.pdf
    • https://uploads.strikinglycdn.com/files/31a10b5f-61fa-4f7a-b913-8dec265ecb92/waxitufimifotepazilolorof.pdf
    • https://uploads.strikinglycdn.com/files/d0b436f2-9db3-4923-88bc-d6c034a5b6be/kodupojobivinipefisero.pdf
    • https://uploads.strikinglycdn.com/files/cd91babb-8e72-4395-b426-468401726f6e/short_story_contests_2021.pdf
    • https://uploads.strikinglycdn.com/files/abaf57c3-a149-4107-b85a-6de5f96afe3e/how_to_write_an_equation_for_a_trend_line_in_slope-intercept_form.pdf
    • http://bavematokej.rf.gd/aquaponics_malayalam.pdf
    • https://uploads.strikinglycdn.com/files/a07bfc4f-105e-47be-8c6a-737c78a4853c/flight_sherman_alexie.pdf
    • http://musizaxodolof.epizy.com/tokoxereb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000115a8.bin
6eebfb45a0ed987e654bc708c1b3557800a1074f4b3bb8764b598c25943c2587		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115A8 5228 bytes
font_01_sfnt_off0001271e.bin
9857c94a8075f63bd19945fab8d021764579c4fd6569a81599841c1724c18950		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1271E 6168 bytes
font_02_sfnt_off00013605.bin
b3b3b53bb14ce4dd57fe5b062d9e538d73bc7de14da7a3d2926053e2b79f931b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13605 12020 bytes
font_03_sfnt_off00015eed.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15EED 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.