Malicious PDF — malware analysis report

Static analysis result for SHA-256 06f71851c5950212…

MALICIOUS

PDF

86.1 KB Created: 2021-03-25 08:51:27 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 401ef5fd594ae06b182541999a12e552 SHA-1: 4616059c93bc987aed372f92ed449d5436af2559 SHA-256: 06f71851c5950212982a4b378760c01175e96504271a39c632c65bedcafaee1f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for an external URI pointing to a suspicious domain, which is also listed as an IOC. The document body, though heavily obfuscated, appears to reference a 'Ryobi 7 1/4 sliding compound mitre saw', suggesting a lure for a phishing or scam attempt. The presence of embedded URLs and the ML classifier's high confidence score further support the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=ryobi+7+1%252F4+sliding+compound+mitre+saw
    • https://cdn-cms.f-static.net/uploads/4412607/normal_6024137f30eeb.pdf
    • http://nanamojuvimujo.medianewsonline.com/what_are_positive_psychological_interventions.pdf
    • https://cdn-cms.f-static.net/uploads/4481406/normal_6046b4fce8ea5.pdf
    • https://static.s123-cdn-static.com/uploads/4370529/normal_5fce931434135.pdf
    • http://gosugas.getenjoyment.net/anything_but_typical_book.pdf
    • https://cdn-cms.f-static.net/uploads/4469828/normal_604a92848701b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/319e4b92-58c4-473a-8019-1f592b367cc3/esquema_de_los_medios_de_comunicacion_masivos_y_sus_caracteristicas.pdf
    • https://uploads.strikinglycdn.com/files/5f17d930-d8db-4964-a329-bede9f951085/what_grade_should_read_diary_of_a_wimpy_kid.pdf
    • https://uploads.strikinglycdn.com/files/3ffe312d-b505-45cc-8142-be5c8f161400/basketball_defenses_for_youth.pdf
    • https://s3.amazonaws.com/lakujusitejojet/latest_android_phones_below_15000_in_india.pdf
    • https://uploads.strikinglycdn.com/files/9148f9c2-96e2-4074-9ef2-2719f21c884c/lectoescritura_cuadernillo_de_actividades_para_primer_grado_para_imprimir.pdf
    • https://s3.amazonaws.com/sojaxub/creative_brief_format_advertising.pdf
    • http://lafagelupuf.myartsonline.com/cahier_de_vacances_pour_adultes.pdf
    • https://uploads.strikinglycdn.com/files/2c8ca678-b538-4442-a4d7-1cced1bb159c/51165679917.pdf
    • https://uploads.strikinglycdn.com/files/01801de1-798b-4b84-b567-3aac6d73ebef/how_long_does_black_and_decker_dustbuster_take_to_charge.pdf
    • https://uploads.strikinglycdn.com/files/25d8288f-7d89-4088-b6c4-c49e14f358ca/73145628475.pdf
    • https://s3.amazonaws.com/farokof/calculadora_casio_fx-_991es_plus.pdf
    • https://s3.amazonaws.com/wivunonovef/my_whirlpool_washer_will_not_drain_or_spin.pdf
    • https://uploads.strikinglycdn.com/files/3a133302-6a05-49f7-9a8f-1a39ac885663/guitar_barre_chords_chart.pdf
    • https://uploads.strikinglycdn.com/files/bfa8d425-0df6-4d7b-93e5-2aea65eaa04f/jogomuzidupamodidudapo.pdf
    • https://s3.amazonaws.com/nitatotol/10084436510.pdf
    • https://uploads.strikinglycdn.com/files/d0e11ef8-f359-4f31-8219-01b0c9029917/34486883383.pdf
    • https://uploads.strikinglycdn.com/files/63270db0-1eb7-4268-87bd-7b3bc7e9e5f3/wibinazuwijabixujosa.pdf
    • https://uploads.strikinglycdn.com/files/e336bca3-19d7-4ea6-91f2-3f8ed1b43a44/pedoloro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100be.bin
143b01c1c9a8a02ef7d826de657ebbd63f0b9d5d708cd9db9aba1531cb8d0731		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100BE 5872 bytes
font_01_sfnt_off000114c4.bin
caccac37815ff68ce1f892e23868f722709ef9074ea3b07cbd37b8b3b8756792		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114C4 11176 bytes
font_02_sfnt_off00013adb.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13ADB 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.