Malicious PDF — malware analysis report

Static analysis result for SHA-256 4405e93fec2cb659…

MALICIOUS

PDF

77.4 KB Created: 2021-03-17 12:58:48 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c7cc3e8d4d91c6c6e9a7832054c26ad5 SHA-1: 77bea523d7fa9a4fac1aa21c447ecd498ea7a515 SHA-256: 4405e93fec2cb6599b2035bdec9267892c39de864a4c17e505cc08c3efa3edb7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a critical heuristic firing for ClamAV detection. It contains an embedded URI pointing to 'ponafet.ru', suggesting an attempt to redirect the user to a malicious site. While no scripts were explicitly extracted, the PDF structure and embedded URI indicate a phishing or malware distribution attempt, likely leveraging a known PDF exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9956

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=immunization+in+pregnancy+pdf
    • https://cdn.sqhk.co/xopuxuvop/OkhghdE/sexaxeduda.pdf
    • http://towufato.mywebcommunity.org/what_are_e_m_service_codes.pdf
    • https://kenoduzuran.weebly.com/uploads/1/3/5/3/135350653/tibinubidamuk.pdf
    • http://electorat.org/pokemon_x_decrypted_rom_for_citra_androidk97w6.pdf
    • http://varistop.site/quadratic_functions_worksheet_algebra_29p0c2.pdf
    • https://sufifova.weebly.com/uploads/1/3/4/7/134736026/6085439.pdf
    • https://cdn-cms.f-static.net/uploads/4454056/normal_604ced5520339.pdf
    • https://tulivugid.weebly.com/uploads/1/3/4/6/134607321/lawafuwuno_jiwatupotara_fojozera_jiripew.pdf
    • http://aduo5.online/creative_company_profile_templateqhaye.pdf
    • http://winoraama.fun/trader_joes_frozen_turkey_burgers_cooking_instructions82rxx.pdf
    • http://bivaxosufuxibo.mygamesonline.org/woxobujivimukuradun.pdf
    • https://cdn.sqhk.co/jekuzedu/h9hcT7x/planet_fitness_apple_valley_california.pdf
    • https://cdn-cms.f-static.net/uploads/4379217/normal_60129c286add8.pdf
    • https://xadifera.weebly.com/uploads/1/3/1/4/131438156/fodos_jopegafot_bijusulikobilu.pdf
    • https://mamowolo.weebly.com/uploads/1/3/4/7/134714390/pewajulikeni.pdf
    • http://raxejudesezix.scienceontheweb.net/modal_verbs_meaning_and_examples.pdf
    • https://cdn.sqhk.co/fudimesa/hfKhfjb/racing_race_car_song.pdf
    • https://cdn-cms.f-static.net/uploads/4424364/normal_604335fad2f9a.pdf
    • https://cdn.sqhk.co/nifodotiriru/ZibSjjp/munsell_soil_color_chart_10yr.pdf
    • https://cdn.sqhk.co/rapawaferew/pgijeYd/mopar_evts_base_plan.pdf
    • https://cdn-cms.f-static.net/uploads/4492900/normal_6023f97c40602.pdf
    • http://rafupofamurawaf.mygamesonline.org/vinubapiwojimosarapuji.pdf
    • https://static.s123-cdn-static.com/uploads/4379846/normal_5fced1f563fee.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vutogebufuz.myartsonline.com/fusionner_2_a4_en_1_a3.pdf
    • https://677e6977-fc43-48b2-ac81-16e478c8573b.filesusr.com/ugd/3750c2_7895eb5f34b14130ab54e5120342495f.pdf?index=true
    • https://ba3a7bb5-edd2-4228-b29c-cf272df6a868.filesusr.com/ugd/bd1c09_7edc266228694002943d96ec85c7aa81.pdf?index=true
    • https://ba30dffa-51fe-4caa-9472-6f142403a9bb.filesusr.com/ugd/c2007e_7a06694fd1b94878ba75593bb51758da.pdf?index=true
    • https://4b523d79-2bc6-404f-8e52-0acae4d2cb03.filesusr.com/ugd/fe1b41_70f595452324414299f23f6b9f210128.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eed5.bin
1d66c881f7ad347db4c5c82937fe993680605d6f978535c869db318bcb4812ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEED5 5356 bytes
font_01_sfnt_off00010109.bin
f9f5ae7257d42695c3cfafe9cce7960c2a5f053a04b00b71f81248521ebdbc62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10109 11116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.