Malicious PDF — malware analysis report

Static analysis result for SHA-256 565806335ecf2ca6…

MALICIOUS

PDF

60.6 KB Created: 2020-12-24 22:53:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e491cb400cb99a3115bb90be0c8764f9 SHA-1: 593b2b77040dd6a6544a476450aa1282a4d6ce90 SHA-256: 565806335ecf2ca6c658c9a9db8db25bd79ae88e422ce1885e9137c11002628f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. No scripts were extracted, but the presence of an external URI suggests an attempt to deliver a phishing lure or download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/strik?utm_term=kontravoid+native+state
    • https://static.s123-cdn-static.com/uploads/4454052/normal_5fc7cdfcb4e90.pdf
    • https://cdn-cms.f-static.net/uploads/4393883/normal_5fd3aebabe314.pdf
    • https://static.s123-cdn-static.com/uploads/4450519/normal_5fc71b7b6db3e.pdf
    • https://cdn-cms.f-static.net/uploads/4402520/normal_5fa5beda510d3.pdf
    • https://cdn-cms.f-static.net/uploads/4446401/normal_5faa55046b168.pdf
    • https://static.s123-cdn-static.com/uploads/4444366/normal_5fc692dedae93.pdf
    • https://cdn-cms.f-static.net/uploads/4370985/normal_5fa00c5e2791d.pdf
    • https://cdn-cms.f-static.net/uploads/4379849/normal_5f8cee4416d66.pdf
    • https://cdn-cms.f-static.net/uploads/4376879/normal_5f937bf2a874d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/rovikibixu/lumudinu.pdf
    • https://s3.amazonaws.com/votawawo/bejuwejadarenu.pdf
    • https://uploads.strikinglycdn.com/files/f1609905-db11-4a6f-83e3-ce20c2f7fb62/jump_and_carry_12_24.pdf
    • https://uploads.strikinglycdn.com/files/5ff8adea-ec30-421f-9ad1-3823d46a4fd5/fusemimemipodanidewuteje.pdf
    • https://s3.amazonaws.com/davubewu/college_board_send_score_reports.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b164.bin
158b4f33cd479c0d316f4e2fea864237f288be8133dd62268d0c44e47f1ff7ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB164 4816 bytes
font_01_sfnt_off0000c1da.bin
78e846b4aedb2dd0a8e7b63e268adfbfab84d552b9a105732c827ef9eb5ec0ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC1DA 10100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.