Malicious PDF — malware analysis report

Static analysis result for SHA-256 03ea2edf794de7da…

MALICIOUS

PDF

78.0 KB Created: 2021-05-31 15:44:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 338b9f99cc234f87ff2912b0983fca3b SHA-1: e2be3fa5cb3ea3d8c1d9a0d027c6f40fe5407ac3 SHA-256: 03ea2edf794de7da35bdb2e32a5b3e4adf7b4f13b2c3f71dfd22909747ebf2fd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier indicated a high probability of maliciousness. An embedded URI points to 'baarspo.ru', a domain often associated with phishing campaigns. The document body, though heavily obfuscated, contains references to 'Fannie Mae underwriting guidelines 2019', suggesting a lure to impersonate a financial entity. No scripts were extracted, but the presence of external URLs and the phishing indicators strongly suggest a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/123?utm_term=fannie+mae+underwriting+guidelines+2019
    • https://cdn-cms.f-static.net/uploads/4428043/normal_605c47070eb56.pdf
    • https://cdn-cms.f-static.net/uploads/4464739/normal_5fd368ea79cd6.pdf
    • https://cdn-cms.f-static.net/uploads/4496584/normal_605fe09091f74.pdf
    • https://cdn-cms.f-static.net/uploads/4368975/normal_605584470ffac.pdf
    • https://static.s123-cdn-static.com/uploads/4424662/normal_5ff69d6612ed2.pdf
    • https://static.s123-cdn-static-d.com/uploads/4366029/normal_60b04db82463e.pdf
    • https://cdn-cms.f-static.net/uploads/4381082/normal_6066c296c5013.pdf
    • https://cdn-cms.f-static.net/uploads/4408990/normal_5fe9a99b709af.pdf
    • https://cdn-cms.f-static.net/uploads/4497650/normal_6036df5a8de10.pdf
    • https://static.s123-cdn-static.com/uploads/4414501/normal_5ff2d3580ce07.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/5bffc872-10f1-4bb8-97e6-85d4dc90292d/tonumidazimitela.pdf
    • https://uploads.strikinglycdn.com/files/2b52bf60-8fa2-4b37-bdc4-151b617aa3e7/nemikizaxudubugeta.pdf
    • https://uploads.strikinglycdn.com/files/ae6106ef-7eab-44e2-9abf-601333f6079a/xigibipebetolu.pdf
    • https://uploads.strikinglycdn.com/files/95c12e10-73cb-4447-a953-b3cb61feef2a/rational_choice_theory_in_sociology.pdf
    • https://uploads.strikinglycdn.com/files/2ec3c194-48b0-434f-8cc5-18eca4049668/dungeons_and_dragons_xanathars_guide_to_everything_spells.pdf
    • https://uploads.strikinglycdn.com/files/efaee676-2bbe-4f8b-89dc-2329a9f86f0d/traductor_espaol_ingles_con_audio_online.pdf
    • https://uploads.strikinglycdn.com/files/6f2712cd-d79e-42fc-8cf9-aee754195a85/1699011299.pdf
    • https://uploads.strikinglycdn.com/files/ce420984-5cb8-4571-b2b5-89b0e490361b/lowrance_elite_3x_fish_finder_manual.pdf
    • https://uploads.strikinglycdn.com/files/93464c89-b721-4d82-9b85-766460382527/active_and_passive_voice_difficult_exercises_with_answers.pdf
    • https://uploads.strikinglycdn.com/files/1f9673b2-7a0c-4dca-b317-7e74f39a504d/the_night_manager_streaming_season_1_episode_3.pdf
    • https://uploads.strikinglycdn.com/files/6a9650cb-614d-4348-b9df-343bcb41b456/63066225518.pdf
    • https://uploads.strikinglycdn.com/files/e0718b77-a998-4e63-9ac2-afc1c274c01a/95843642634.pdf
    • https://uploads.strikinglycdn.com/files/9ca6e021-0772-40ea-a943-090c2954f64e/materials_and_processes_in_manufacturing_11th_edition.pdf
    • https://uploads.strikinglycdn.com/files/5ffc286f-e709-4681-af26-9c4f948b8336/20919612817.pdf
    • https://uploads.strikinglycdn.com/files/a6f8b9be-8784-45e5-93b2-8d01a5ae793a/adventures_of_tom_sawyer_and_huck_finn_movie.pdf
    • https://uploads.strikinglycdn.com/files/0d6f646e-9e52-4270-9781-d3afc21617ac/34172915339.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f14b.bin
9c496c82f12285b18d0aa0acb4bedab1db6628d1a4bd8d7eb47ddaed749f767c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF14B 5676 bytes
font_01_sfnt_off0001049a.bin
c64cf53a31b0c49e7115ceae9d7f781115fe3ab929d79137eca61fbc6b47653a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1049A 11036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.