Malicious PDF — malware analysis report

Static analysis result for SHA-256 85e48da1a69abeb1…

MALICIOUS

PDF

78.4 KB Created: 2021-06-01 04:03:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f488a7c0b4469aded6fb447b053b0973 SHA-1: 1a4799e84f537d6bf572a0be777b8c856b909ce0 SHA-256: 85e48da1a69abeb1d8572d31347821f8c33c029581cf820b42cd9f1f6c4511b8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains an embedded URL that points to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF with high confidence. The document body, though heavily obfuscated, appears to be a lure related to baby carriers, suggesting a phishing or social engineering attempt to drive users to the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ketchas.ru/pbw?utm_term=can+you+put+a+newborn+in+a+baby+bjorn+bouncer
    • https://cdn-cms.f-static.net/uploads/4446017/normal_606768f3db46d.pdf
    • https://static.s123-cdn-static.com/uploads/4426262/normal_6004c42062d69.pdf
    • https://cdn-cms.f-static.net/uploads/4421199/normal_6015e726cefe3.pdf
    • https://cdn-cms.f-static.net/uploads/4482847/normal_606761c95da12.pdf
    • https://cdn-cms.f-static.net/uploads/4464720/normal_6022e6da0f620.pdf
    • https://cdn-cms.f-static.net/uploads/4401732/normal_60212ada804f4.pdf
    • https://cdn-cms.f-static.net/uploads/4426059/normal_603dbc2507201.pdf
    • https://cdn-cms.f-static.net/uploads/4392651/normal_602def9d44646.pdf
    • https://cdn-cms.f-static.net/uploads/4461497/normal_602428d932327.pdf
    • https://cdn-cms.f-static.net/uploads/4417140/normal_600f34b8c9600.pdf
    • https://static.s123-cdn-static.com/uploads/4390095/normal_5fcecc881e0e2.pdf
    • https://cdn-cms.f-static.net/uploads/4367268/normal_600fa2cd793e0.pdf
    • https://cdn-cms.f-static.net/uploads/4374860/normal_6069217becc9f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/12a0c3b9-9f92-41bd-aa39-81a1b868ab5c/zuwodibisenalojavojize.pdf
    • https://uploads.strikinglycdn.com/files/5f83e92e-e7ea-44c7-a6ec-6276f67ad096/retail_math_test_with_answers.pdf
    • http://bofamawetodo.pbworks.com/w/file/fetch/144433059/18354650959.pdf
    • http://xosufixemuf.pbworks.com/w/file/fetch/144432366/vovepimagogusineju.pdf
    • http://kedetuwi.pbworks.com/f/mongodb_university_m001_final_exam_answers.pdf
    • https://uploads.strikinglycdn.com/files/0ed8cf62-203f-4fc9-8248-3b23731eb03f/ccna_routing_and_switching_portable_command_guide_3rd_edition.pdf
    • http://nilanom.pbworks.com/f/fetch_decode_execute_cycle_steps_a_level.pdf
    • https://uploads.strikinglycdn.com/files/b3cec0b4-4295-4f7f-a96b-80aa5e43d9e4/agatha_christies_poirot_season_1_episode_2.pdf
    • http://jijagenaneke.pbworks.com/f/jovugewipibe.pdf
    • https://uploads.strikinglycdn.com/files/2d0eb87a-93a5-4b3a-a408-e32f3ba85f17/convert_midi_to_sheet_music_online_free.pdf
    • http://pamotekegopa.pbworks.com/f/codominance_multiple_alleles_worksheet_answers.pdf
    • http://fixiguru.pbworks.com/w/file/fetch/144436515/solucionario_lengua_castellana_y_literatura_2_bachillerato_anaya.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f505.bin
165ec423a337be9ac63c7d99263115c0052b79ea0ff6b058190d544e61a967f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF505 5032 bytes
font_01_sfnt_off00010645.bin
6c6d279b0d6ec991c18bb37b781796340be52498ad646ad4d2199e3b0b3b8b83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10645 11332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.