Malicious PDF — malware analysis report

Static analysis result for SHA-256 9012798df69ce481…

MALICIOUS

PDF

77.3 KB Created: 2021-03-25 04:40:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 17396c56347153d261b0d90369785b63 SHA-1: 5e57fbfe56e5f9c3ac7614acdbc52b1add55f38a SHA-256: 9012798df69ce481c437599990d8f90ac2e80c848d0401c2fbf36e960fb16a77
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains heuristics indicating the presence of external URIs and embedded URLs, with one prominent URL being https://midufefew.ru/wix?keyword=nest+thermostat+wiring+manual. The ML classifier and ClamAV detection strongly suggest malicious intent, likely phishing or malware distribution. Although no scripts were explicitly extracted, the PDF structure and embedded URI point towards a social engineering attack to redirect users to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=nest+thermostat+wiring+manual
    • https://cdn-cms.f-static.net/uploads/4486200/normal_6018af5ec56fd.pdf
    • http://kpupnov.pro/motorola_sb6121_issuesr1csq.pdf
    • http://opsnatur.fun/games_top_up_appxg9en.pdf
    • https://static.s123-cdn-static.com/uploads/4369802/normal_5fe07d2268576.pdf
    • http://serawuv.mygamesonline.org/road_construction_company_profile.pdf
    • https://static.s123-cdn-static.com/uploads/4484365/normal_5feb62680d310.pdf
    • http://wiinorama.space/lukugezopis95igw.pdf
    • https://cdn-cms.f-static.net/uploads/4501996/normal_601ee4260b0a5.pdf
    • http://vufajed.getenjoyment.net/meshing_in_ansys.pdf
    • https://static.s123-cdn-static.com/uploads/4472491/normal_5fef53d95f47d.pdf
    • http://jobs-ingenieur.best/60804540667kr0dq.pdf
    • https://cdn-cms.f-static.net/uploads/4490757/normal_60172a276d480.pdf
    • https://cdn-cms.f-static.net/uploads/4486745/normal_6021949d090f4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://novogizeboje.myartsonline.com/jalivanulidipo.pdf
    • https://4edd92ed-4e96-4c3d-a837-a16c7246ae9e.filesusr.com/ugd/7c3149_921c6dd5292b417291f276a70c8250cf.pdf?index=true
    • https://9b08d158-0e0f-4203-9b31-e1272d977b1c.filesusr.com/ugd/086daf_8fac737727594180a587824ba4df1ee6.pdf?index=true
    • https://694dae7a-2033-4a59-8b06-91ff4eec0774.filesusr.com/ugd/e1d58f_85f7858a0f8445d1b86051ae6351cc0e.pdf?index=true
    • https://s3.amazonaws.com/bupesejirijejus/free_business_letter_template_google_docs.pdf
    • http://zoligagomuwe.onlinewebshop.net/wezadomulorajejalalul.pdf
    • https://5e024257-ca51-40df-b6b5-a3104c7b7124.filesusr.com/ugd/97368a_5496bd749dde468181eed23705271bc0.pdf?index=true
    • https://s3.amazonaws.com/popilo/ridgid_r2611_orbital_sander_parts.pdf
    • http://vawerudarasikow.myartsonline.com/nauka_angielskiego_dla_pocztkujcych.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2d3.bin
b9d9bf96d20a5fbad22fa4bddd71b14809112aa136038716ddea6f8873db89f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2D3 5040 bytes
font_01_sfnt_off0000f3e6.bin
0c51cdbaa18df42c70fcfc4330b024c1ad039e5cd60a094937b174732b8ca75b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF3E6 11240 bytes
font_02_sfnt_off000119ab.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119AB 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.