Malicious PDF — malware analysis report

Static analysis result for SHA-256 47d5f4c4ffee77ec…

MALICIOUS

PDF

432.5 KB Created: 2021-05-18 13:49:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: d68f878eaa1535c0dcbe3c02dd4d29e5 SHA-1: e973bbf60e987ccd05cd3856c0098e5e9401346e SHA-256: 47d5f4c4ffee77ec646bb1bafba7d24068983f6da5c50a5a8d1ffd8b408054bf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that redirects to a malicious domain, identified by the 'ML_NYX_PDF_MALICIOUS' heuristic and ClamAV detection. The document body, though heavily obfuscated, suggests a lure related to 'Quimica organica problemas resueltos pdf' (organic chemistry problems solved pdf), indicating a phishing attempt to trick users into visiting the malicious URL. No scripts were extracted, but the PDF structure itself facilitated the malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8935

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/strik?utm_term=quimica+organica+problemas+resueltos+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4383687/normal_60251cbc1ad86.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4390995/normal_600ab032127eb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4461523/normal_6030980711cbf.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4378621/normal_5fcea5ac1d42f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4495402/normal_5fd66ae757100.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4470389/normal_60692cbd5d3cf.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4446511/normal_6039269acf376.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/gasodamuza/sharepoint_designer_2013_list_workflow_examples.pdfIn PDF document text
    • https://s3.amazonaws.com/kawotexulozax/diary_of_a_wimpy_kid_wrecking_ball.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/007e29f8-d9fa-4cf0-9007-ec04ab993fb1/zedemarorafipezani.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0c396980-d82c-48ec-a02d-59beec4eb5cf/how_many_calories_are_in_a_dunkin_donuts_coffee_roll.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ea929448-d17f-42dc-8015-595895381b07/rijeruzotafugifidi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6ae47b17-0cfb-4920-85fd-e5cc526c0f42/bokijajogupovox.pdfIn PDF document text
    • https://s3.amazonaws.com/lezerawe/wugimaruganupifuwirazo.pdfIn PDF document text
    • https://s3.amazonaws.com/werowibovezoje/48691105338.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/7678be59-8da4-4abb-b7b5-4ea3750cd740/how_do_i_find_my_sharp_tv_code.pdfIn PDF document text
    • https://s3.amazonaws.com/sutawowirosuvuv/word_families_list_for_first_grade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4a945485-1edb-4bc4-bfeb-522860d74f6e/asmaul_husna_dan_artinya_ms_word.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ce45d6fb-dc8a-4971-b901-a2dc5c044c01/how_to_culture_daphnia_moina.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab6a1c63-3f7b-4e26-9a2f-8164c6929d55/lista_de_verbos_regulares_en_ingles_y_espaol_en_pasado_simple.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cd5ca97e-6890-4434-bc9e-5231688d2eb2/what_is_expository_text_definition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c4b2924d-285a-453e-9d50-5f3312dab7a2/what_do_the_warning_lights_mean_on_prep_machine.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00066d6f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x66D6F 5676 bytes
SHA-256: 09dd11ce09d3a913e62c38d539f29cc1023aacafee5c3abaa8f7c53f92a834eb
font_01_sfnt_off00068099.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x68099 14524 bytes
SHA-256: c8bb9a467c7986000fdd376dab3752a121b5ba9960648d48fd8ceb21778c4f5d

Open this report in the interactive analyzer, or submit your own file for analysis.