Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c6fe79798cd9991…

MALICIOUS

PDF

93.7 KB Created: 2021-03-27 11:52:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 744bfb614c597509e1d4fecc15c7cdea SHA-1: 43b0c92fca0cf7c6879c010415ed29554b350a19 SHA-256: 4c6fe79798cd9991218c17387b15d53ead4b1fe8768446b6ef1e92ed74660a23
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'ponafet.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to product information, potentially to trick users into visiting the malicious URL. No scripts were extracted, but the presence of multiple suspicious URLs suggests the document is designed to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=olympus+om+100mm+f2
    • http://changepass.online/jenemagubipaniluzedt6j8r.pdf
    • http://sberbank.services/6742201291723k2.pdf
    • https://cdn.sqhk.co/jokawefezo/fhchfje/gapiv.pdf
    • http://podipotekoi.ru/ablisa_x_factor_fightl3z1x.pdf
    • http://perevod-card2card24.site/rca_cd_clock_radio_set_timef2k7z.pdf
    • http://snapchat-alert.com/jalonojikoxaximilixilinekebs6h.pdf
    • https://cdn-cms.f-static.net/uploads/4383923/normal_5fd995f141b4b.pdf
    • https://cdn.sqhk.co/matijamaj/HgdFXgh/jadiwokoleroluwa.pdf
    • https://static.s123-cdn-static.com/uploads/4411481/normal_5feb1d9fe4e9c.pdf
    • http://starkrobotics.org/lekawurezawojo3r9l4.pdf
    • http://storedubai.shop/958324822730yhh7.pdf
    • https://cdn.sqhk.co/waximanodif/igewXpR/68879208170.pdf
    • https://cdn.sqhk.co/popenewosaso/fggMMa5/iron_chest_mod_minecraft_1._12_2.pdf
    • https://cdn.sqhk.co/kagurase/dtjgjd7/mastermind_game_application.pdf
    • http://www.opentle.org
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://s3.amazonaws.com/laginekux/bandcamp_er_github.pdf
    • https://s3.amazonaws.com/naxozelozude/traktor_s4_software.pdf
    • https://s3.amazonaws.com/xajowu/83772495128.pdf
    • https://s3.amazonaws.com/gewuwasi/henry_s_freedom_box_story.pdf
    • https://s3.amazonaws.com/lorugipopuxe/54196898928.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.gnu.org/licenses/gpl.html
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00010853.bin
44106a2045b06c201fe473d08ba8c303468df817ad72396d83b799200b1d2739		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10853 16640 bytes
font_00_sfnt_off0000f837.bin
12d43dedd6c7c3e2d37dfb498997bc768d0bf7ee82d08b67a79a7e97d6d51d64		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF837 4728 bytes
font_02_sfnt_off000135b1.bin
a171dd983c727814af2dd249b6f5d7767c85f393fade941ec3a0b6ba77a27d4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x135B1 10912 bytes
font_03_sfnt_off00015b1a.bin
05d2457133b820fa77aa358e30e9acfbad3f04c46ced9a37296d9311117db176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B1A 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.