Malicious PDF — malware analysis report

Static analysis result for SHA-256 7acf3fa499d8da17…

MALICIOUS

PDF

76.4 KB Created: 2021-03-23 07:14:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5aad8e5d4b4231d720ab7c67238607fa SHA-1: 2433d793e8edffa5d43b33ca5583632200a408b1 SHA-256: 7acf3fa499d8da17e31b02595ae7eb0751c6267e7531d3a6f16af79d15503aa9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URL that masquerades as a Poulan Pro lawn mower manual, likely to trick users into downloading a malicious payload. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to exploit users through social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bologen.ru/wix?keyword=poulan+pro+450e+lawn+mower+manual
    • https://static.s123-cdn-static.com/uploads/4476782/normal_5fc756da4db22.pdf
    • https://cdn.sqhk.co/foroboreb/KHgidhi/remix_song_maker_software_for_pc.pdf
    • https://cdn.sqhk.co/jinubodilev/hjhhFZr/jetaudio_hd_music_player_plus_free_download.pdf
    • https://cdn-cms.f-static.net/uploads/4385417/normal_60395d45837f1.pdf
    • https://cdn.sqhk.co/fefuxumito/cjjigcD/the_last_stand_union_city_unblocked_funblocked.pdf
    • https://static.s123-cdn-static.com/uploads/4425915/normal_5fcf4bb07ea7f.pdf
    • http://dapajurop.mygamesonline.org/fewagodemuroxatuvajekitem.pdf
    • https://cdn-cms.f-static.net/uploads/4448718/normal_5fd288b1c04c2.pdf
    • https://cdn.sqhk.co/lijipatalenu/jiiidb1/alto_s_adventure_wingsuit_proximity.pdf
    • https://static.s123-cdn-static.com/uploads/4458628/normal_5fc827de1ee8c.pdf
    • https://cdn.sqhk.co/jigugabopu/d58jihf/first_national_geographic_magazine_for_sale.pdf
    • http://woxuruko.medianewsonline.com/93947993881.pdf
    • https://cdn-cms.f-static.net/uploads/4485821/normal_604d1b20ee1dc.pdf
    • https://static.s123-cdn-static.com/uploads/4529024/normal_6008ef6b43bf0.pdf
    • http://devuweza.scienceontheweb.net/23856112273.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e0eedba4-cf99-4c42-97f5-d3f9ae5832dd.filesusr.com/ugd/e36ea7_6d0cc71f840d4442885149fb7f8c3b6f.pdf?index=true
    • https://57fc24c6-ba7c-430a-bdae-05304608b610.filesusr.com/ugd/bc9c68_3a9685f2c79a4adf89e7b28bcc726af5.pdf?index=true
    • https://a68e2ff5-bf17-48e3-82d4-ceb975b85758.filesusr.com/ugd/760101_140befe939ba4bc6a042bf4dc3c3f862.pdf?index=true
    • http://nosigegu.onlinewebshop.net/timoginazat.pdf
    • https://7404da97-7fcf-4d5f-9d5f-3f8644e6773a.filesusr.com/ugd/35f767_982645ba3ac74f6c8ab5fe9ff332e7b2.pdf?index=true
    • https://3f9320ff-391d-49df-b192-c557e211a93c.filesusr.com/ugd/469aea_4801d09c9c89488fb66ac3e4f9278c00.pdf?index=true
    • https://06ebba1c-c738-45d4-b58d-83edbdcc9420.filesusr.com/ugd/b14caa_397a046394d545f7b4dea863baa72268.pdf?index=true
    • https://883cd1dc-02d0-4059-8fa2-99201f92b631.filesusr.com/ugd/6166c9_88684d4ee666489685d6b53ccd1960fd.pdf?index=true
    • https://e966359d-176b-477a-9ad9-c314bea94227.filesusr.com/ugd/fa6f14_bcb0ecc0f5ad47e6a7e5f6ead09bd7ca.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ece1.bin
55fc5acf371623e849b272ecc5b520371eac08843a0d2e7d863557e677cc0de2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECE1 5232 bytes
font_01_sfnt_off0000feb8.bin
f978ba004fe911d2fd4c93dea4176b121574433713a9b09cc96343f50c8c2500		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEB8 10996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.