Malicious PDF — malware analysis report

Static analysis result for SHA-256 339ac8b45a21b63f…

MALICIOUS

PDF

204.2 KB Created: 2021-06-04 09:15:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 8ee6416908c4a45a2d1f018844043f4e SHA-1: ca78e131d7b829fee0c387f6219f7149bee794ec SHA-256: 339ac8b45a21b63ffeda13b266e043a0cad206cdbb5484f8101c554ce79791b4
96 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by heuristics and a machine learning classifier as malicious. The ClamAV detection further confirms its malicious nature, classifying it as Pdf.Phishing.Trojan. The document body is heavily obfuscated and unreadable, but the presence of the external URI suggests an attempt to redirect the user to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6717

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/123?utm_term=attitude+status++punjabi PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://venatulafiz.pbworks.com/f/temple_tiger_and_more_man-eaters_of_kumaon.pdfIn PDF document text
    • http://natizasex.pbworks.com/w/file/fetch/144569622/61885578614.pdfIn PDF document text
    • http://nefusim.pbworks.com/f/diff_between_electron_microscope_and_compound_microscope.pdfIn PDF document text
    • http://mefijunov.pbworks.com/f/what_lives_in_a_swamp_ecosystem.pdfIn PDF document text
    • http://siwuromo.pbworks.com/f/pool_billiards_pro_8_ball_game_apk.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20d44874-476f-45ff-9ebe-72db604eec5e/kazotusoxegusipeponen.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/25781a6f-acf9-4d3f-a3c3-475c2208157c/how_to_paint_a_tree_with_acrylics.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ade7353e-c3b5-406d-a766-7dea0727a5fa/formula_para_calcular_volumen_de_un_prisma_triangular.pdfIn PDF document text
    • http://bijinim.pbworks.com/f/funusifexufal.pdfIn PDF document text
    • http://vawaguzidatu.pbworks.com/w/file/fetch/144424212/82006588735.pdfIn PDF document text
    • http://pamotekegopa.pbworks.com/w/file/fetch/144466098/us_army_games_unblocked.pdfIn PDF document text
    • http://nikekuva.pbworks.com/w/file/fetch/144597720/gexosot.pdfIn PDF document text
    • http://jebodigezev.pbworks.com/w/file/fetch/144491013/yamaha_aerox_50_tuning_guide.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8749e34-d72c-42cc-bd52-729a48e8123e/apc_br1500g_back-ups_pro_1500_va.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fdd5e378-108e-48e1-bb37-b68faf30831f/doluvuwumixilogajeladil.pdfIn PDF document text
    • http://nilanom.pbworks.com/w/file/fetch/144416577/night_owls_de_jenn_bennett_sinopsis.pdfIn PDF document text
    • http://xesimisejek.pbworks.com/f/89622515036.pdfIn PDF document text
    • http://pezeliv.pbworks.com/f/58674844462.pdfIn PDF document text
    • http://sonopewobu.pbworks.com/f/34364482664.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9cce9749-2125-4892-bf30-c8f1192dc94b/ipod_nano_2nd_generation_4gb_manual.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001ced7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1CED7 7064 bytes
SHA-256: de23c655fc5dc4f6df306b8e7ef035f0cb50a2cf886af957ec37bb831e45bbc4
font_01_sfnt_off0001e0f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E0F3 4804 bytes
SHA-256: fee5da656b75ff5ac671375948d91bb0d6578762f244027f94093065640923af
font_02_sfnt_off0001f140.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F140 3720 bytes
SHA-256: d0c9e33916e9e64e42e31bcf0d345f6c2fcd41735b1a34df0119bd0eb1094281
font_03_sfnt_off0001fca4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FCA4 12908 bytes
SHA-256: 86ee9f6c8997e815876c93f2184c70334618ddd46626b3d39e0435b0fec5cbc2
font_04_sfnt_off000220bc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x220BC 50096 bytes
SHA-256: d68af59ea143c10c5baabf2b2f750af82ff356c20f39eaefd75d012109700e79
font_05_sfnt_off0002b011.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2B011 11616 bytes
SHA-256: f6d350f530702e5032da54c3598a4345e291364cc24dd52e654bd76ae745109f
font_06_sfnt_off0002d79a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D79A 23768 bytes
SHA-256: 28b17e266ab970976b4699b380fb215779cafe9c57e0cd61cc3b947fc8b069c3
font_07_sfnt_off0002ff8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2FF8D 4324 bytes
SHA-256: 05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176
font_08_sfnt_off00030d8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x30D8D 4280 bytes
SHA-256: 8305fa436b5269e4a88b671d2bfed2616f42b931eb14b6a6f1e1074bd6f50ca3

Open this report in the interactive analyzer, or submit your own file for analysis.