Malicious PDF — malware analysis report

Static analysis result for SHA-256 708f65ea3961d032…

MALICIOUS

PDF

79.2 KB Created: 2021-05-22 02:17:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: ff88b6108132720a4cfc4c12ff204b4a SHA-1: 71a354dab58076ba8c8f7c6080b151c78d1a5789 SHA-256: 708f65ea3961d03274b8e9df90c0555e5c70bb2465851844c4cc53df0541dc51
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=vodafone+unitymedia+k%25C3%25BCndigung+vorlage+pdf PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4529024/normal_601dbc1542e21.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366027/normal_60350983c4ab4.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4417221/normal_5fcd6336d8fc7.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4488329/normal_601baa163ac5d.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4409123/normal_5ffa1532c632d.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/94648d50-1b0b-43e5-8a3f-94979f0e072b/how_to_install_liftmaster_myq.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c314384f-d797-41d0-8c63-d5a07e5e867b/sefivopumagadamirofibidev.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/db9c62ff-50c3-45e2-94fd-3483c3149b4f/63746798856.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f51b0071-066c-40bc-931c-25afc57c7236/49444982848.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ab4f8bac-9b20-4f2c-ac50-d12df2be77a0/61939839758.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a4150529-4d9c-471b-960f-c91965f3d25f/funugozexifito.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f678293b-bba8-4626-a131-4307cc4d9a20/what_size_generator_can_power_a_house.pdfIn PDF document text
    • https://s3.amazonaws.com/legobegutulo/jumisavupeb.pdfIn PDF document text
    • https://s3.amazonaws.com/kopisigapub/80676736299.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/78db8310-9867-45b2-97af-043f32f29c61/american_red_cross_donor_ambassador.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/433715b0-f8ff-48c9-af26-3ec8f5af7e87/restful_web_services_example_in_java_using_eclipse_step_by_step.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/93b20354-c463-42e3-a96c-7d9c05ab3ccf/how_much_is_a_brand_new_wii_u.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/43a4f4cb-d1b5-4980-9419-6d5d9dae8830/morix.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e404dada-eb12-488b-af0e-b519c8d28d95/pentax_pz_70.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b205b35e-6278-449f-8be3-26f3bb07fbce/sony_a230_video_test.pdfIn PDF document text
    • https://s3.amazonaws.com/xabalaru/xirumitukazapo.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3a55832c-31e1-4778-8b0c-6fe0a1b9291f/mifigudibox.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a1bbd73-5f82-49b1-88c3-f0de00e7612d/zubumunebezodotuxopov.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f225.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF225 5496 bytes
SHA-256: fa97c42e643bd12707a1d77739f8feb57564a38fa407219f333a73d355999db8
font_01_sfnt_off000104ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x104AB 12152 bytes
SHA-256: 66938720ce20f8d17d4fb2e7a553ec70e3b3c9c3f67ca354234d1fdb136a3d94