Malicious PDF — malware analysis report

Static analysis result for SHA-256 399e2d4df7946d18…

MALICIOUS

PDF

135.7 KB Created: 2021-04-23 10:23:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a8a760932f4a86f39956665f3e91a4e2 SHA-1: 6d6078b3374c222590e279a4fe709a3c05dcba94 SHA-256: 399e2d4df7946d188a38b6875e2037e6ffa952aa0e94770cabb2c4f70bae820c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains an embedded URL pointing to a suspicious domain, likely a phishing lure. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site, consistent with phishing or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=tipos+de+sensores+sistemas+de+informacion+geografica
    • http://kimiter.medianewsonline.com/swiftui_book.pdf
    • http://pububasolemi.22web.org/canon_rebel_t5_eos_1200d_owners_manual.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/f2e6b9b5-4d24-4346-9743-2d2cd0364f19/tropic_of_cancer_latitude_is_largely_covered_with_forest.pdf
    • http://namutogenasokab.epizy.com/159828224.pdf
    • https://uploads.strikinglycdn.com/files/1da0b0c3-f0db-4670-86e7-d78b8a0882e3/understanding_the_book_of_daniel_in_the_bible.pdf
    • https://s3.amazonaws.com/zibenoroduzuw/2786559914.pdf
    • https://uploads.strikinglycdn.com/files/ab71a815-d766-4bf3-9764-85fd73f69759/how_to_program_a_ti_30x_iis.pdf
    • https://uploads.strikinglycdn.com/files/4820cc17-7e1f-4ffa-8bd9-23e09747d667/how_to_tune_an_acoustic_guitar_with_a_snark_tuner.pdf
    • https://uploads.strikinglycdn.com/files/e7e31e85-c803-4c43-a1e0-56f9172a7663/rugisesami.pdf
    • https://s3.amazonaws.com/dujepav/debulawesojatagirafedosi.pdf
    • http://zorikeroz.onlinewebshop.net/gukexusibigojozena.pdf
    • http://sabinozugi.epizy.com/pizimutadakudezisopefebex.pdf
    • https://uploads.strikinglycdn.com/files/b3c9915a-0b15-4a93-b024-6d9ba9d665c1/internal_combustion_engine_fundamentals_free_download.pdf
    • https://s3.amazonaws.com/zidosozawok/86420815313.pdf
    • https://uploads.strikinglycdn.com/files/c929a095-4d43-4070-8881-ca87a8994d83/trunk_control_test_tct.pdf
    • http://disiroto.epizy.com/tuxegipupago.pdf
    • https://uploads.strikinglycdn.com/files/569ab03a-02ce-4fcf-b5ba-4915ec7811ca/34685688767.pdf
    • https://s3.amazonaws.com/tikoweravisixu/free_call_recorder_for_samsung_mobile.pdf
    • https://uploads.strikinglycdn.com/files/9ecfaf76-dbfc-41dd-8563-e419f6ff3979/77273621897.pdf
    • https://uploads.strikinglycdn.com/files/b5fea021-0769-4c00-b16a-d099707b4c09/how_do_i_fix_e1_error_in_ifb_washing_machine.pdf
    • https://uploads.strikinglycdn.com/files/2911689b-c2bf-4431-964d-c85dcdc05797/kujige.pdf
    • https://uploads.strikinglycdn.com/files/5f08432b-e063-446e-a523-46ce3d12fbf2/panasonic_bq_cc17_manual.pdf
    • https://uploads.strikinglycdn.com/files/5ed007f2-ba69-42c5-9141-aa09877280ef/how_to_handle_a_mother_with_borderline_personality_disorder.pdf
    • https://uploads.strikinglycdn.com/files/7bf7d1c2-9b54-4096-b633-16cec5f20889/a_chorus_line_richie_monologue.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001d419.bin
dd35e7f7c84aab55ffd385c0c7cfd2a5ffe76b685ee708191a3812f69298513a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D419 5392 bytes
font_01_sfnt_off0001e659.bin
bc269b04bbcf31920fb9d425270d863a0c2c9ff5cdd3d7e0825edfae3f9c3e0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E659 12696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.