Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a9b874ec7a33775…

MALICIOUS

PDF

103.8 KB Created: 2021-05-28 15:47:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 589bc1eff88c9a77058045f9f6b41f55 SHA-1: 1f0fcbd84d7f1752d17dcb71758e8ac7fd740d3b SHA-256: 8a9b874ec7a3377550011aae5ffb8c0e8621175b53bccb181beb1add12e55dc5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF identified as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'https://zajinet.ru/strik?utm_term=gestion+de+la+calidad+total+libro+pdf', which is flagged as suspicious. The PDF structure and embedded content suggest it is designed to trick users into visiting this external link, likely as part of a phishing or malware delivery scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=gestion+de+la+calidad+total+libro+pdf
    • https://cdn-cms.f-static.net/uploads/4385021/normal_6050628799537.pdf
    • https://cdn-cms.f-static.net/uploads/4467601/normal_602e21fa9bf6b.pdf
    • https://static.s123-cdn-static.com/uploads/4479462/normal_5fee042b91de8.pdf
    • https://static.s123-cdn-static.com/uploads/4376354/normal_5ff82a95c51a3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3cf3d3e8-8a52-480a-a9b9-e36fae84e4f3/gidubefifafitemedine.pdf
    • https://uploads.strikinglycdn.com/files/6ab6a30e-9fe3-4f66-8968-ef281012196b/doniguwuxuwonez.pdf
    • https://uploads.strikinglycdn.com/files/fc693bf8-8542-4246-acb5-534bb3c6ab4b/sarub.pdf
    • https://uploads.strikinglycdn.com/files/3a41a15c-00e8-43a7-9c0b-8209045790e0/gufajanofoje.pdf
    • https://uploads.strikinglycdn.com/files/fabeb59a-8487-4da2-b1e6-e1ac43e5db50/jewelirijo.pdf
    • https://uploads.strikinglycdn.com/files/b74696b7-338f-4a9e-b9e7-357e636c2998/how_to_tell_if_a_furnace_heat_exchanger_is_bad.pdf
    • https://uploads.strikinglycdn.com/files/622bebc6-be47-4f61-b94a-2a11e0379d3c/34054515678.pdf
    • https://uploads.strikinglycdn.com/files/db069f5d-154c-4c5c-93c3-5f4c5b0d032d/31794726995.pdf
    • https://uploads.strikinglycdn.com/files/1c5eaf11-6856-4f93-a6a3-527330919a32/what_do_you_eat_on_the_7_day_cleanse.pdf
    • https://uploads.strikinglycdn.com/files/163f1f20-d149-4915-b339-d23c79eeca10/30716663826.pdf
    • https://uploads.strikinglycdn.com/files/79937b34-da8b-478e-b366-8c8b6b1d6838/12131573671.pdf
    • https://uploads.strikinglycdn.com/files/87d53eb5-9677-4d14-ad3b-254d7705f0a6/how_to_reset_kenmore_665_dishwasher.pdf
    • https://uploads.strikinglycdn.com/files/62b01b81-f98b-4fb1-8d7b-85850d443686/what_is_school_climate.pdf
    • https://uploads.strikinglycdn.com/files/f511f2f8-e1dc-46d8-bca9-084971f61699/28797181242.pdf
    • https://uploads.strikinglycdn.com/files/b303d866-9cbe-4465-b62f-19ba7dbd66a6/badass_gaelic_names.pdf
    • https://uploads.strikinglycdn.com/files/7995d759-3beb-48b3-bce2-ceb2d7ca3da7/8663467879.pdf
    • https://uploads.strikinglycdn.com/files/d0edaf43-f2f6-4960-bcc7-c7b4f2bb5ba5/21318949711.pdf
    • https://uploads.strikinglycdn.com/files/d305fe6b-b2ca-4b2c-84ef-3b073c687ee6/goat_farming_business_plan_download.pdf
    • https://uploads.strikinglycdn.com/files/c6e34db1-c9b8-4723-8e19-b8abffa7a1a6/le_petit_prince_movie_vs_book.pdf
    • https://uploads.strikinglycdn.com/files/17eb1105-5892-4550-a5ee-7ec1a2f3ebfb/without_remorse_movie_2020_trailer.pdf
    • https://uploads.strikinglycdn.com/files/b4487457-2039-4ad7-bbfa-e868e09aa895/40286918536.pdf
    • https://uploads.strikinglycdn.com/files/739927d6-d5e6-408c-9467-c554ec81d91d/how_to_use_dremel_3000_attachments.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00015292.bin
345f4cb1c4847cee3a79e5af935f1e443eeb0414fa9471bcbc30111fe6f7008f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15292 5320 bytes
font_01_sfnt_off000164b7.bin
479b234a0b045fd24f06ed31c9a0a23b14660b3fc8986bf7bcd0de1e25cf082d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x164B7 13252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.