Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bb4c9a7fa985e2e…

MALICIOUS

PDF

78.1 KB Created: 2021-03-28 12:31:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01e86164c1971653e1366226369f4ffc SHA-1: 53f2f2c6c707e6fb11606a8fc0c4d22d4c407216 SHA-256: 0bb4c9a7fa985e2e3681eb36dc44e3d00f5d251bb0006480c27f3531e1923b39
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a suspicious domain, likely for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, appears to be a lure related to product installation, aligning with a phishing attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=how+to+install+rainforest+jumperoo
    • https://static.s123-cdn-static.com/uploads/4381344/normal_5ffa892ee69df.pdf
    • https://cdn-cms.f-static.net/uploads/4416316/normal_600c1683807f3.pdf
    • https://cdn-cms.f-static.net/uploads/4375517/normal_605968ae139c2.pdf
    • https://static.s123-cdn-static.com/uploads/4490367/normal_5ff807a8a794c.pdf
    • https://cdn-cms.f-static.net/uploads/4425487/normal_6039ab1d62888.pdf
    • https://cdn-cms.f-static.net/uploads/4444850/normal_602a8fc49eb4b.pdf
    • https://static.s123-cdn-static.com/uploads/4391621/normal_5fe16a7456cc9.pdf
    • https://cdn-cms.f-static.net/uploads/4485448/normal_603eb255957e4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://bdee3e82-1fe6-4084-b289-f15f5249f83e.filesusr.com/ugd/749937_7501e166f6734b29904bd42be43d7de2.pdf?index=true
    • https://8964868a-aef6-4da0-9a9b-29de7c28e0c5.filesusr.com/ugd/b910ae_bc13e39c2c5446358ac28f844c68c735.pdf?index=true
    • https://uploads.strikinglycdn.com/files/63a644c7-17b1-474b-80e5-9656b915b1c9/95527383114.pdf
    • https://21d44941-995c-48b9-956b-8145330e20d5.filesusr.com/ugd/577b75_04a1938cfaa545d4ba33f7146980eaf1.pdf?index=true
    • http://vofofoduwegakuv.rf.gd/evernote_calendar_template_2018.pdf
    • https://caf0f927-206f-4b4e-aa34-0dd3da53679b.filesusr.com/ugd/83d902_4808988d645f423c9642727ca2c504a2.pdf?index=true
    • https://s3.amazonaws.com/rejiner/fopatibovajikikexat.pdf
    • http://fesavuvab.epizy.com/fevafibiwiraxivusir.pdf
    • http://putagasixebe.epizy.com/45205215743.pdf
    • https://s3.amazonaws.com/pafiganovavi/baby_trend_expedition_double_jogging_stroller_accessories.pdf
    • https://s3.amazonaws.com/xovekolamoxe/6962227496.pdf
    • https://7095e710-59ac-4d27-8a5a-f3bbcaf65deb.filesusr.com/ugd/418e76_7aa83b22ab994d97a34db016f30e77ff.pdf?index=true
    • https://uploads.strikinglycdn.com/files/226d0b0f-683e-41c1-b409-065ba0220932/bukirufazukaroju.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9ae.bin
bffc12cb51a6beddc0431b7ebec06d18604e7f5aec7880fb9735ae534cfd4992		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9AE 5060 bytes
font_01_sfnt_off0000fad9.bin
721d11833c59eecbd0013fbb782a92c393c99385d210b0765c656fab25e4ef98		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAD9 10064 bytes
font_02_sfnt_off00011cff.bin
ff5f0ef16caf3e97cd1984b3a03ea88e11eab8cf63d2ee006085a4b9995833f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CFF 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.