Malicious PDF — malware analysis report

Static analysis result for SHA-256 57f0012b880c60ba…

MALICIOUS

PDF

76.9 KB Created: 2021-03-23 11:49:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: cdec56456dc9d8978ef62a4ef9056298 SHA-1: 1f1f251c73603f3e21a8f33cfb650ecbb5cc5a45 SHA-256: 57f0012b880c60ba7f6bed6883a726f03bbd2ad377b78eee71b2e2fe84ef9acb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'https://ponafet.ru/123?utm_term=agmark+mark+full+form', which is likely the primary lure. While no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest an attempt to redirect the user to a malicious site, characteristic of phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=agmark+mark+full+form
    • http://tameeniraq.com/677853124091rk08.pdf
    • http://bawimip.sportsontheweb.net/colegio_de_profesionales_de_enfermeria_del_sur_de_la_provincia_de_santa_fe.pdf
    • http://fegiroxopirez.sportsontheweb.net/lesewurosifudekame.pdf
    • http://rofogukiluvupu.mygamesonline.org/navutawitazikejetopur.pdf
    • http://stalekost.site/best_action_movies_2016q85cd.pdf
    • http://prodive.su/poblano_pepper_nutrition_usda330bo.pdf
    • http://ita-bio.fun/89739426804bqsrf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zapumodexajo.rf.gd/sagenajesubugipavivoni.pdf
    • https://uploads.strikinglycdn.com/files/36c362ec-5ecf-492b-8b43-f1aae960d2e6/9010767931.pdf
    • http://supajiwa.myartsonline.com/basics_of_civil_engineering_ktu_notes.pdf
    • https://uploads.strikinglycdn.com/files/b10e7211-60bd-4028-88e5-a6aac084437f/how_to_turn_on_blue_yeti_microphone.pdf
    • https://uploads.strikinglycdn.com/files/3d7085be-550f-4f51-abf1-739bc4c62d89/que_es_una_composicin_musical.pdf
    • https://uploads.strikinglycdn.com/files/2df58504-ea3c-4ae1-bb30-a89aaf73e9a7/coaching_soccer_high_school.pdf
    • https://uploads.strikinglycdn.com/files/be0651ed-5c13-4b16-926c-06487dfb3ee9/arris_tm1602a_modem_review.pdf
    • http://gototura.myartsonline.com/xefapufidajivokida.pdf
    • https://uploads.strikinglycdn.com/files/1ee929b1-1607-4d16-917c-10105c868bd5/81090393951.pdf
    • https://uploads.strikinglycdn.com/files/05589314-1ba4-4e8f-9d5e-dd33c0bcf859/how_to_become_someones_medical_power_of_attorney.pdf
    • https://uploads.strikinglycdn.com/files/22d21b37-a236-4797-a49f-dcfd496aefdd/what_is_the_best_programming_language_to_learn_for_cyber_security.pdf
    • http://nerebadaguve.epizy.com/24254529457.pdf
    • https://uploads.strikinglycdn.com/files/5d5bdade-2739-4502-86cd-a9c5539c3e7d/dark_souls_3_weapons_that_can_cast_sorceries_and_miracles.pdf
    • http://romolote.rf.gd/da_de_la_revolucin_mexicana_en_ingls.pdf
    • http://xitevilejagen.rf.gd/95581570467.pdf
    • http://xesawufozimiki.epizy.com/wapking_2019_bollywood.pdf
    • https://uploads.strikinglycdn.com/files/a5b00e92-0e0c-41e6-842c-41d9dca739c3/romeo_juliet_tamil_movie_cut_songs_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f00d.bin
c3077d306036eef595d060754ad8f96daf84406a906c37fd76d7d5992ec4e6b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF00D 4960 bytes
font_01_sfnt_off000100de.bin
3109c9ff85139d54fa8a4c989988db5c1bd840c68095a0eb505d8257d182aa7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100DE 11032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.