Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d5c980a1336bd75…

MALICIOUS

PDF

85.2 KB Created: 2021-05-06 17:03:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 25ec66dba9aea2e01d21be21655422a9 SHA-1: 228b443d46bc012cf159a3f66606d992bc193f3e SHA-256: 1d5c980a1336bd75339c6e7f103c91667e3c9e80baf877869a9a715f925b6d16
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. The document body, though heavily obfuscated, contains text suggesting a lure related to 'pseudo grains'. The primary IOC is the external URI pointing to 'https://ponafet.ru/strik', which likely hosts the malicious payload. No scripts were extracted, but the presence of embedded URLs and the overall detection suggest a phishing attempt to redirect users to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=list+of+pseudo+grains
    • https://cdn.sqhk.co/nazujovo/cJichhN/how_to_level_makerbot_replicator_2.pdf
    • https://static.s123-cdn-static.com/uploads/4426060/normal_5ff18c66b4457.pdf
    • https://cdn.sqhk.co/torazanopuni/fQflgjk/winapuluxesif.pdf
    • https://cdn-cms.f-static.net/uploads/4465393/normal_5fd17e76ad9c9.pdf
    • http://sfhgfje5df.xyz/aa_meetings_winston_salemaico8.pdf
    • http://verefdliyvtorogo.xyz/gaxoxivamumutakhcbn.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f74ed1e1-6d4c-4902-8b30-111060f0c050/wegusobiduvowefexigatega.pdf
    • https://uploads.strikinglycdn.com/files/7ccb47d6-a06b-4d74-a9ea-fe5d135bcc46/zedexowivupojaretar.pdf
    • https://uploads.strikinglycdn.com/files/2bb8a880-7278-4da2-a083-1a3508559c92/what_is_vsepr_theory_explain.pdf
    • http://kesesifix.rf.gd/saeco_talea_giro_plus_descaling.pdf
    • http://gewuruso.epizy.com/ielts_reading_practise_test.pdf
    • https://uploads.strikinglycdn.com/files/3503a233-dff8-48bb-9264-c6163195e8dc/nubuzuvar.pdf
    • https://uploads.strikinglycdn.com/files/36017862-e18c-42e8-b635-9387c93db850/proceso_del_covid_en_el_cuerpo.pdf
    • https://uploads.strikinglycdn.com/files/0a4375c8-a773-4373-96b0-7cd9cba33347/letra_en_espaol_de_7_years_lukas.pdf
    • https://uploads.strikinglycdn.com/files/db115f2c-e775-4f6a-88d0-8316082fdafe/92901951442.pdf
    • https://uploads.strikinglycdn.com/files/31167ae5-219d-439c-a527-3f8d3907695e/adventures_of_tom_sawyer_example_book_report.pdf
    • https://uploads.strikinglycdn.com/files/f3957cfe-0e2f-4fba-a399-b6e5c4bff5a9/48279548565.pdf
    • http://merekum.rf.gd/fodimenafojagulekabunirun.pdf
    • https://uploads.strikinglycdn.com/files/5b336acf-35f2-499c-898d-1661b2b6e61d/emotional_intelligence_daniel_goleman_1995.pdf
    • http://zozusanom.epizy.com/brahmamgari_bajana_patalu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f88e.bin
79869e7c9dc2aff18e1ef3c7b0b1559afd67c4c53af3429ebd109f0b590b5b23		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF88E 5116 bytes
font_01_sfnt_off00010a0a.bin
8e324f594cbd8ec903e0be3b8322346eb6e33bd2db012d082de29274205aae38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A0A 11396 bytes
font_02_sfnt_off00013095.bin
0d6cd34f27181c2d51c8214abb377579777838d5bae2d9b179f510ce85b27f54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13095 16292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.