Malicious PDF — malware analysis report

Static analysis result for SHA-256 09ac8850d15b61a6…

MALICIOUS

PDF

76.8 KB Created: 2021-04-15 22:42:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c6b157db836d7ca0e70b193a69f0337c SHA-1: a9f79bfce2de3eae5d1e1a6064b960afdf8e331b SHA-256: 09ac8850d15b61a6b8f3c34837d16373eaaac92e0f04211aa35ae127559059f1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a URL that appears to be part of a phishing lure, disguised with a search query for puppies. While no scripts were explicitly extracted, the presence of embedded URIs and the ML/ClamAV detections suggest it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://botokaw.ru/strik?utm_term=miniature+dachshund+puppies+for+sale+sa
    • https://cdn.sqhk.co/sidogorego/YcmNjkk/monster_trucks_movie_trailer.pdf
    • http://petajofap.22web.org/wumovevamik.pdf
    • http://boraguw.medianewsonline.com/zopegufezi.pdf
    • http://zenafek.iblogger.org/86305680456.pdf
    • http://goladelexugezi.sportsontheweb.net/princess_diaries_volume_10.pdf
    • http://diporesorojina.scienceontheweb.net/bring_me_to_life_piano_sheet_music.pdf
    • http://jawunefuda.mygamesonline.org/17833207886.pdf
    • https://cdn.sqhk.co/donuvoduvedo/ibjaLij/8748710170.pdf
    • http://xazonojader.mywebcommunity.org/27456244005.pdf
    • https://cdn.sqhk.co/wazofovam/boOgiid/recipe_using_sugar_cubes.pdf
    • https://cdn.sqhk.co/jesisuvov/cijhi0h/accounting_resume_template_microsoft_word.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://demovuxogevere.rf.gd/how_to_cite_davis_drug_guide_for_nurses_14th_edition.pdf
    • http://xugeseza.epizy.com/lefofojujetudorodakaxidaz.pdf
    • https://36d3fe4d-ce77-4ecd-ae21-04b42370c250.filesusr.com/ugd/871c54_6805fa2223044889b955faa93f74be89.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7c5e5fa9-5b17-4cc2-b8e4-01fd30418a18/a_streetcar_named_desire_quotes_scene_2.pdf
    • https://uploads.strikinglycdn.com/files/b8bc9b73-87c3-494e-a96d-49a1283e0ae2/what_is_involuntary_alienation.pdf
    • http://tudugir.atwebpages.com/84731096969.pdf
    • https://28a90398-13b1-4b58-b54c-ed045a6bddf2.filesusr.com/ugd/7e9e1f_b3c0493e8a15410db521d3f5af726792.pdf?index=true
    • https://c0cead0d-5248-483d-940e-95cc3acd9bde.filesusr.com/ugd/20d83a_a7b3ddbe609645fa967cbda5f2c0cc8e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/605978b4-54a4-4aca-a3ce-75cecb4dba3b/does_mendeley_work_with_office_365.pdf
    • http://zorijofoxafa.epizy.com/chiang_rai_tourist_information_centre.pdf
    • https://uploads.strikinglycdn.com/files/6e3cd0d5-f36d-4489-9791-ab19412e4c71/64268062978.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee3b.bin
5d30ca4a4894a7d3075033b8bad922f58b17e7d185cab2141354fc3b4a68b64d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE3B 5248 bytes
font_01_sfnt_off0001001c.bin
ea2ec6aaa6a250361b863d16dce752bdde431ec13ac7bd39ea169c0872c62f7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1001C 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.