Malicious PDF — malware analysis report

Static analysis result for SHA-256 82f65c3e4394f234…

MALICIOUS

PDF

105.5 KB Created: 2020-11-18 08:30:56 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b746f47d351e09bcb6feb4ae6dd3cd95 SHA-1: 1bb5f71c33c6e21da945c8934475d63b8dfdd950 SHA-256: 82f65c3e4394f23423ea2386536292a98593845a56b77e153cd46bb3b422a2fc
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. The ML classifier and ClamAV detection further support its malicious nature. Although no scripts were explicitly extracted, the presence of an external URI suggests the document's purpose is to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/strik?utm_term=danganronpa+2+akane
    • https://cdn-cms.f-static.net/uploads/4379029/normal_5fa56ef95fe25.pdf
    • https://sagolofuba.weebly.com/uploads/1/3/4/8/134873879/golilikelebuvupow.pdf
    • https://nupariredarig.weebly.com/uploads/1/3/4/3/134357859/4343032.pdf
    • https://dusexitope.weebly.com/uploads/1/3/4/6/134646398/9944119.pdf
    • https://cdn-cms.f-static.net/uploads/4385620/normal_5fa426ed271aa.pdf
    • https://cdn-cms.f-static.net/uploads/4368227/normal_5f87fe8fb0afd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/67292962-d4ff-48c5-88ae-cf49a81eb281/minecraft_13.1_apk_day.pdf
    • https://uploads.strikinglycdn.com/files/92453c2c-f065-47de-b5c0-f0124a15bf60/520336680.pdf
    • https://uploads.strikinglycdn.com/files/c4938a64-75dd-4167-b2bf-86eb37a6d2bc/zowuj.pdf
    • https://uploads.strikinglycdn.com/files/c79ad4de-cf8c-45fc-9772-36463e7cbe12/product_owner_checklist.pdf
    • https://uploads.strikinglycdn.com/files/f127c6b3-bcfa-4499-a29d-f2b609e1d7ab/50187074770.pdf
    • https://uploads.strikinglycdn.com/files/469d08b4-f105-4cc5-994a-5fee0f6d60ee/powusuzidoje.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000155a9.bin
8621f80d22f6580926a9ca2d292b507624f9beaec9b9609be235b689dd90fb9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x155A9 3928 bytes
font_01_sfnt_off0001638b.bin
98dc6a21a707629b6322f43819ebf4c4dc32345fd6f5226d4079d8ae78f948df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1638B 4972 bytes
font_02_sfnt_off00017493.bin
0021d11d09647c76df8019ff7f77422e69bf5442fef5b76c594fd96633abfa4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17493 10848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.