Malicious PDF — malware analysis report

Static analysis result for SHA-256 554be5f458ea9352…

MALICIOUS

PDF

110.4 KB Created: 2021-03-16 08:29:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0da570b050139376497da137137a18df SHA-1: 7ed3053aa34ac30631d09309c01272cd95ea3130 SHA-256: 554be5f458ea935283b149bfa8685bf88e5a8cd1244fab8e4c7f1f2c558e0f86
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL `https://ponafet.ru/wix?keyword=downloadprovider.apk+%25D1%2587%25D1%2582%25D0%25BE+%25D1%258D%25D1%2582%25D0%25BE` suggests the document is a lure to download an Android application. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/wix?keyword=downloadprovider.apk+%25D1%2587%25D1%2582%25D0%25BE+%25D1%258D%25D1%2582%25D0%25BE
    • http://dajexori.mypressonline.com/free_california_residential_lease_agreement_form.pdf
    • http://zimezobot.getenjoyment.net/smartboard_exchange_painting.pdf
    • http://laketofetujeso.medianewsonline.com/didunuzutitutodizinev.pdf
    • https://bonopabugo.weebly.com/uploads/1/3/4/5/134581776/bitejizomiruzi.pdf
    • https://cdn-cms.f-static.net/uploads/4421365/normal_601b01c403fdb.pdf
    • https://pojekemo.weebly.com/uploads/1/3/4/4/134469054/tozojokutaxoluxaze.pdf
    • https://cdn-cms.f-static.net/uploads/4455659/normal_60194c0fd1271.pdf
    • https://nokafixawawi.weebly.com/uploads/1/3/1/6/131606940/giroguziniv.pdf
    • https://cdn-cms.f-static.net/uploads/4369138/normal_604d31fdaa6e4.pdf
    • http://nurigoluda.mygamesonline.org/moorish_literature_noble_drew_ali.pdf
    • http://xiruzox.mygamesonline.org/98413599507.pdf
    • https://cdn-cms.f-static.net/uploads/4453117/normal_6010e27cb73d0.pdf
    • http://wodedutipif.medianewsonline.com/59619168219.pdf
    • https://cdn-cms.f-static.net/uploads/4405194/normal_5fe961f33c4bd.pdf
    • http://tezijexipilimo.getenjoyment.net/how_to_use_capresso_burr_grinder.pdf
    • http://fakurivevid.scienceontheweb.net/nowogopamaselipulexaro.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://tuzuxutetug.atwebpages.com/risk_management_process_in_construction.pdf
    • http://leparitupoxow.onlinewebshop.net/28150654008.pdf
    • https://8eeb1f0a-0cdd-4c66-98a4-83777b49fb54.filesusr.com/ugd/64f9d2_1a26be96d3534a1292284b9af722b621.pdf?index=true
    • https://7afcd0b8-98df-42a4-afe0-9544d44c9539.filesusr.com/ugd/74e9cf_fac328392a234612a932cea489f81818.pdf?index=true
    • https://cb70cc59-2297-49c3-b7e2-2ac7e26e28d4.filesusr.com/ugd/4479ed_675fabd67b48433b88e30a3195e6d6e8.pdf?index=true
    • http://lutepotazor.onlinewebshop.net/paregoturizawamaf.pdf
    • https://a62e46b8-d933-4087-892c-e5439cec6991.filesusr.com/ugd/e9cba9_5c8bda318f704c35aba7c4d3f2c5f3ec.pdf?index=true
    • http://jotudokizer.onlinewebshop.net/academic_essay_topics.pdf
    • https://02687da8-bf2b-436b-a8ca-82c6e04513a5.filesusr.com/ugd/e48f8a_9a7c2315c2514d9a8058dc8073383502.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016368.bin
058d8d29dfe1459f34e53673bce7652a425b65212d107f494e8b702a28384103		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16368 5388 bytes
font_01_sfnt_off000175b4.bin
d6db979794b877c14f587ed2536aa834bdb669e7c4f171867986196473da8db7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x175B4 17096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.