Malicious PDF — malware analysis report

Static analysis result for SHA-256 82b428e3a242c0bb…

MALICIOUS

PDF

95.6 KB Created: 2021-04-23 01:25:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83882344e316bdb94dd41a131d3e8dca SHA-1: b8731960c86fb9d002fb24f66f2e0f9c8839a2f3 SHA-256: 82b428e3a242c0bb773a0aa541c73c9b1a653929ed031f64db9d4bd3a6926b90
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that, when clicked, leads to a domain associated with malicious activity, likely to trick users into downloading malware disguised as drivers. The ML classifier and ClamAV detection strongly indicate malicious intent. No scripts were extracted, but the presence of a malicious URL within the document body suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9977

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=hp+elitebook+2760p+video+drivers
    • https://static.s123-cdn-static.com/uploads/4366040/normal_5ff82a34d1d3f.pdf
    • http://bokulidedasez.22web.org/dsa5_almanach.pdf
    • https://cdn-cms.f-static.net/uploads/4420752/normal_600a0c99cef67.pdf
    • https://cdn.sqhk.co/fenozidu/9XKcW1F/wigazujedepofakogedutuw.pdf
    • https://cdn-cms.f-static.net/uploads/4490724/normal_6031494719959.pdf
    • http://itrom.fun/38368158350ug6ns.pdf
    • https://cdn.sqhk.co/temetixufuxi/qhjhiuO/12268455524.pdf
    • http://dawepajez.22web.org/57253463585.pdf
    • http://olipaka.xyz/canon_pixma_mx300_telept_program6hzt9.pdf
    • https://cdn.sqhk.co/faserekino/hzkgQhe/96014303916.pdf
    • https://cdn.sqhk.co/waxobakal/ja1gfkI/88169506619.pdf
    • https://static.s123-cdn-static.com/uploads/4453537/normal_5fdedc9ec8a9b.pdf
    • https://cdn.sqhk.co/lewulula/hfiicxQ/e_learning_for_all_brainy_baby.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/896b7344-927d-4c33-a011-f21899e77f75/nordictrack_a2550_pro_price.pdf
    • https://uploads.strikinglycdn.com/files/98a1146d-ce18-477c-8772-88fca3e3f87c/free_birthday_meals_appleton_wi.pdf
    • http://vejawotivifima.rf.gd/barcelona_logo_hd.pdf
    • https://uploads.strikinglycdn.com/files/18c61358-9820-47b0-be3a-2c25d3e0c538/12882620161.pdf
    • http://zatupux.rf.gd/biostratigraphic_zones.pdf
    • https://uploads.strikinglycdn.com/files/ebb994ee-249d-48ab-953a-d619260ba472/49232925850.pdf
    • https://uploads.strikinglycdn.com/files/8af471d5-06b2-40b2-832c-9022154a05c0/11023623596.pdf
    • https://uploads.strikinglycdn.com/files/ebf7288f-fe1c-43b3-9db5-63ece8bf40e5/75125164205.pdf
    • https://uploads.strikinglycdn.com/files/4730bf7a-e1cb-4d28-923f-78a0fa06f946/kafovojezev.pdf
    • https://uploads.strikinglycdn.com/files/47cd75ab-76b8-47e9-9e17-babd54ea38cc/26013989849.pdf
    • http://teruwizirazi.rf.gd/representantes_del_materialismo_historico.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012264.bin
c5f0d99206f1b3813a567d05abd1b94da6602a8b9db19b8f95b240ceb1a21447		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12264 5476 bytes
font_01_sfnt_off0001351d.bin
1912698b0c2e4e58b98ee2b832b5db3a4804cded5a7403a2d95cb20847192b33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1351D 11240 bytes
font_02_sfnt_off00015b49.bin
503f5200e83b189a546b6c6e1d808633a9135186956fe76ff9bd78de3d91e3c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B49 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.