Malicious PDF — malware analysis report

Static analysis result for SHA-256 414109bebc6b1df2…

MALICIOUS

PDF

72.3 KB Created: 2021-03-23 17:03:26 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 39e6b298c96c8d1012c62a6eabe8b1de SHA-1: 5f4e002cf48208359f249794a4c2b91189d9b4cb SHA-256: 414109bebc6b1df2924349a3950fa4a807b8eff0112996b81d40114808c6c977
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI that redirects to a malicious domain, likely for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. The document's content, though heavily obfuscated, suggests a lure related to a 'podcast planning worksheet', aiming to trick users into visiting the external URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=podcast+planning+worksheet
    • http://www-sfr-fr-monespace.com/crme_pour_le_visage_avec_matrixyl3y52c.pdf
    • https://cdn.sqhk.co/kenalutaxi/vgfy1jc/22323988084.pdf
    • http://startbastar.online/334191228198i9w0.pdf
    • https://cdn-cms.f-static.net/uploads/4419003/normal_6038339ca75b8.pdf
    • https://cdn-cms.f-static.net/uploads/4454300/normal_60356eced5d61.pdf
    • https://static.s123-cdn-static.com/uploads/4484804/normal_5fdf06e8787bb.pdf
    • https://static.s123-cdn-static.com/uploads/4450512/normal_5fce939d9074a.pdf
    • https://cdn.sqhk.co/semiwewedazi/yjiw6hc/war_commander_wiki_destroyer.pdf
    • https://cdn-cms.f-static.net/uploads/4504839/normal_60198c5a06579.pdf
    • http://wgathering.org/gipolofuxebuzazb40lm.pdf
    • https://static.s123-cdn-static.com/uploads/4486193/normal_5fc64b9b5fd64.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4e45ae30-e080-4771-8121-ace06f43106f/gaxetibupagajatitebiw.pdf
    • https://s3.amazonaws.com/pekatikisuruki/comme_des_garcons_shoe_size_guide.pdf
    • https://s3.amazonaws.com/vaxebisapesi/national_clogging_cue_sheets.pdf
    • https://uploads.strikinglycdn.com/files/90aa2226-762c-4be4-98f6-626966c80917/barska_biometric_safe_manual.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc61.bin
4b1c3629e09cef534e43901459799126866c42a4212bc2337575b9748b7e0bd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC61 5492 bytes
font_01_sfnt_off0000ef1b.bin
03194c5a32d5048047a78eb877d802e1387205e29b21d57bb69d2456c05a3194		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF1B 10496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.