Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f39bf087cf344b3…

MALICIOUS

PDF

79.3 KB Created: 2021-03-18 23:41:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 10f879ded52e9974f559d3f350e3642f SHA-1: a92f2e59f1bf575340f98b8fe3277cf3bab5ecdb SHA-256: 8f39bf087cf344b358f7c14e0291b28eefdd92fefed72573bcbad4a6449c47f3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan payload. It contains an embedded URL pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/wix?keyword=pw80+manual+clutch+kit
    • https://cdn-cms.f-static.net/uploads/4450889/normal_600d082fa4319.pdf
    • http://cardioactiveufficiale.site/wikutuxinitupegoixya.pdf
    • http://paxebuli.iblogger.org/ipad_annotation_app.pdf
    • https://static.s123-cdn-static.com/uploads/4377674/normal_5fc7554891134.pdf
    • https://static.s123-cdn-static.com/uploads/4369516/normal_5fffcb4259b21.pdf
    • http://busivel.xyz/vofilurevowatotoxirjzyrp.pdf
    • https://cdn-cms.f-static.net/uploads/4386091/normal_600b6918123cb.pdf
    • https://cdn-cms.f-static.net/uploads/4501991/normal_604b5ab95fdc3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://zixobotivi.epizy.com/64053448611.pdf
    • https://6bfd3344-23d3-4e03-ab7d-00c1c23eecf6.filesusr.com/ugd/be19e1_0c9011c0bf7f4a04881eec4e65495463.pdf?index=true
    • http://texatopewewew.epizy.com/addition_and_subtraction_worksheets_fourth_grade.pdf
    • https://uploads.strikinglycdn.com/files/3f2446df-8e16-4351-aced-cb39e39c4376/multicultural_social_work_practice_second_edition.pdf
    • https://c6f55193-7475-4343-97dd-33cb3b141b6a.filesusr.com/ugd/808d8c_0b2983ff88e149bdaa75077e09432b8f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/7a33b8f5-fc31-46df-a360-f51531196e0e/kipaxojitevoxukek.pdf
    • https://uploads.strikinglycdn.com/files/b8242a8a-b588-4a75-98ee-0401fbe98ba4/flexsmart_x3_mini_pairing.pdf
    • http://leranijaw.rf.gd/petenedewidetesevajaduvol.pdf
    • https://uploads.strikinglycdn.com/files/d98f5e24-81e6-4420-849f-e8b0d3064a7c/wodupadixanomepo.pdf
    • https://d5aacb37-8766-4234-9cc8-c2ec3b911aba.filesusr.com/ugd/1e723b_e46c118a40e548f9853d04fe0d4746e5.pdf?index=true
    • http://wiwilewito.epizy.com/l_algorithme_cours_informatique.pdf
    • http://geletisabifuzo.rf.gd/e_district_csc_report_login.pdf
    • http://rapevuf.epizy.com/98036422405.pdf
    • https://uploads.strikinglycdn.com/files/f95171a0-f200-4aac-86f0-d994a58e3c54/lmms_tutorial.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6d6.bin
92673fa10ae934aae40bd9e6d4afc862ca4c683ff7573f3c61e383dc9db5aa4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6D6 5256 bytes
font_01_sfnt_off000108a7.bin
61540d3e0ba794db445f00f710b1327f713fb5e0a1aa2a59639694dec90507fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108A7 11464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.