Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a3d5d2bcd35c8f5…

MALICIOUS

PDF

76.1 KB Created: 2021-05-29 09:42:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6440b0bca52d8ca822586b56e2b7c99f SHA-1: 6351314dc53e99968bc0f5c14a1e58a3644a983e SHA-256: 8a3d5d2bcd35c8f584dfe43c8ed2bb56847ab0f24fa6452be904aa742ffd73bb
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URL that leads to a suspicious domain, likely intended for phishing or malware distribution. The document body, though heavily obfuscated, appears to be related to chemistry, suggesting a lure to trick users into visiting the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jottigo.ru/strik?utm_term=a+cuantos+gramos+equivale+un+mililitro
    • https://cdn-cms.f-static.net/uploads/4476954/normal_602edd6a55fb6.pdf
    • https://static.s123-cdn-static.com/uploads/4404108/normal_5fc842749f3e5.pdf
    • https://static.s123-cdn-static.com/uploads/4418399/normal_5fc70d0467380.pdf
    • https://cdn-cms.f-static.net/uploads/4402722/normal_6052a4177ecaa.pdf
    • https://cdn-cms.f-static.net/uploads/4499021/normal_5fd3bddb71181.pdf
    • https://cdn-cms.f-static.net/uploads/4420028/normal_601eb679624f6.pdf
    • https://cdn-cms.f-static.net/uploads/4446377/normal_60148b6198926.pdf
    • https://cdn-cms.f-static.net/uploads/4402504/normal_5fd19b83a33b8.pdf
    • https://cdn-cms.f-static.net/uploads/4443610/normal_600b9a66219c0.pdf
    • https://static.s123-cdn-static.com/uploads/4454281/normal_6007d8493e46f.pdf
    • https://cdn-cms.f-static.net/uploads/4480891/normal_6042c782015c0.pdf
    • https://cdn-cms.f-static.net/uploads/4450514/normal_600e37e4a6af2.pdf
    • https://static.s123-cdn-static.com/uploads/4382772/normal_6007db5eae470.pdf
    • https://static.s123-cdn-static-d.com/uploads/4475729/normal_60aff2a7724a5.pdf
    • https://cdn-cms.f-static.net/uploads/4368970/normal_5fdb7914e6594.pdf
    • https://static.s123-cdn-static.com/uploads/4481695/normal_5fc8abc965de2.pdf
    • https://static.s123-cdn-static.com/uploads/4388169/normal_5ffcac959484a.pdf
    • https://static.s123-cdn-static.com/uploads/4496602/normal_5ff5a6e6dbc78.pdf
    • https://cdn-cms.f-static.net/uploads/4372735/normal_600f1beb976f6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/970b1ca0-cdcf-4baa-bc68-04256e058380/chemistry_grams_moles_calculations_worksheet.pdf
    • https://uploads.strikinglycdn.com/files/618253f4-d836-49c0-be7d-2f9e9c7e5f1f/9664139940.pdf
    • https://uploads.strikinglycdn.com/files/9dc3dfcd-f45a-4fce-b600-b0776df0bd7a/my_pet_dog_story.pdf
    • https://uploads.strikinglycdn.com/files/420c1faa-48fb-492a-ae45-a396000a4f36/63080367808.pdf
    • https://uploads.strikinglycdn.com/files/5fa5a2c9-64e1-4abc-b83f-838be22e9260/acupuncture_points_for_neck_and_arm_pain.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8eb.bin
6a2a71335d4bd6644a2c3cc7dc6d319874029822cda3c7a1f0341439db44ceb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8EB 5292 bytes
font_01_sfnt_off0000fadb.bin
4288db7795e8e0f4403be4281a3576a09e7e98a67fd5879ad7b95b39b5c80863		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFADB 11860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.