Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e58eaa1c4becc35…

MALICIOUS

PDF

77.9 KB Created: 2021-04-19 04:35:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b6884addff8e65c22f4c767b069e398 SHA-1: 57fb21a619e3c90c2abe19cd5fc625e07d3e4578 SHA-256: 8e58eaa1c4becc35b294da80435499dd7dd27e937d675b3960be57adba40bef0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URI pointing to 'ponafet.ru', which is likely a malicious domain used for phishing or malware distribution. The document body, though heavily obfuscated, suggests a lure related to a 'Chick fil a scholarship application form'. No scripts were extracted, but the presence of a suspicious URI in a document flagged as a phishing trojan strongly indicates a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=chick+fil+a+scholarship+application+form
    • http://linodogeb.scienceontheweb.net/graco_magnum_x7_airless_paint_sprayer_parts.pdf
    • http://sujabupinoda.scienceontheweb.net/25098627368.pdf
    • http://bukawavado.medianewsonline.com/lovipa.pdf
    • http://tofugezupeb.mygamesonline.org/87632491241.pdf
    • http://nokojatagi.mywebcommunity.org/potassium_ferricyanide_msds.pdf
    • http://noxavikadovul.mypressonline.com/mary_balogh_descargar.pdf
    • http://rosutob.getenjoyment.net/delukodapedufe.pdf
    • http://nunovoxiwanafuz.getenjoyment.net/zomew.pdf
    • http://nenodipemuxok.mypressonline.com/jeep_wrangler_spare_parts_uk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gudukiderunusu.myartsonline.com/revit_architecture_projects.pdf
    • http://wereguvepowu.epizy.com/mowozitejabevewewutofeliw.pdf
    • http://tarepos.onlinewebshop.net/positron_annihilation_in_semiconductors_defect_studies.pdf
    • https://c09438b0-f1cf-4ade-afa2-d322e048c450.filesusr.com/ugd/313cc6_9fac7da2bace4ac6977ae28cabeffa15.pdf?index=true
    • http://bututifeb.epizy.com/absorption_chiller_cycle.pdf
    • http://wawikoduvebakap.onlinewebshop.net/understanding_by_design_professional_development_workbook.pdf
    • https://e29a9437-b0a5-48a6-9afa-908397ce514a.filesusr.com/ugd/16a9c1_802bcae209514dcea038a1cbb9206280.pdf?index=true
    • https://104e0e48-a4c2-4a03-8647-06ef64d4e6ac.filesusr.com/ugd/e2c6c1_5bc305e1c92447eeb72c4444cc493e7a.pdf?index=true
    • http://xejobutek.onlinewebshop.net/equivalent_fractions_year_4.pdf
    • https://0f3c41ac-de96-4ba7-a517-026d7435d592.filesusr.com/ugd/8631de_396f8819b90e4e8d8dca32772be0a1df.pdf?index=true
    • https://s3.amazonaws.com/nefunupu/platform_heels_lace_boots.pdf
    • https://s3.amazonaws.com/xepululejiwof/decision_makers_guide_habitual_residence_test.pdf
    • https://75e6d08a-b14f-4c2c-bd4e-3e6431d9d11c.filesusr.com/ugd/497a87_6884344433af46e0af5701bc45883087.pdf?index=true
    • http://jalijoruki.atwebpages.com/straight_talk_zte_mobile_hotspot_z291dl_4g_lte.pdf
    • http://fikikozazilut.rf.gd/chemical_bonding_pogil_activity_5_answer_key.pdf
    • https://s3.amazonaws.com/bejokazemur/black_butterfly_deniece_williams_sheet_music.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2ea.bin
ab510fee4b543adf00a83c961a50e58623c6d202e1b7a380cf35183126bd704d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2EA 5224 bytes
font_01_sfnt_off00010487.bin
03c66d82fb9db3810ec3ced4c972571ef6167d911bf1ec99a8d1b052808f18c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10487 10920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.