Malicious PDF — malware analysis report

Static analysis result for SHA-256 9170b0ea55d8450e…

MALICIOUS

PDF

71.6 KB Created: 2021-03-31 23:01:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7edeac02a57947c3b8ca1a7191e208bf SHA-1: 2e312268d13de33418109764bda40f93da2b342e SHA-256: 9170b0ea55d8450e41bc565fd62d711b8201fe22543de58c292f25a586ff3fc7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier indicated a high probability of maliciousness. The document body, though heavily obfuscated, contains references to 'wkhtmltopdf' and 'Qt', suggesting it was generated by a tool. The presence of embedded URLs, particularly 'https://ponafet.ru/strik', strongly indicates a phishing or malware distribution attempt, likely leveraging the 'Sign of the Beaver' book title as a lure. No scripts were extracted, but the PDF structure itself facilitated the embedding of malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=sign+of+the+beaver+book+pdf
    • http://sowoxapexemex.sportsontheweb.net/how_to_open_gillette_fusion_proglide_styler.pdf
    • http://xufuxenu.mypressonline.com/69948573433.pdf
    • http://wobomekisad.22web.org/grade_8_writing_examples.pdf
    • http://beststudent.space/brimonidine_drops_dosage8rj0c.pdf
    • http://tokio-2020.fun/wosomop93f81.pdf
    • http://ttop-shop.com/152945530340d2lo.pdf
    • http://gofadivus.mygamesonline.org/lawibipapuwirige.pdf
    • http://kositexujir.sportsontheweb.net/statistical_methods_for_machine_learning_jason_brownlee.pdf
    • http://zivasajotafu.iblogger.org/bundesliga_spielplan_fc_bayern.pdf
    • http://pasozabijegigus.iblogger.org/wd_my_cloud_shows_red_light.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://karifopiti.epizy.com/99559092587.pdf
    • http://repefewuvu.epizy.com/16916009063.pdf
    • http://bitujiduruv.myartsonline.com/octavia_butler_wild_seed.pdf
    • http://jogulele.epizy.com/predator_6500_generator_specs.pdf
    • http://magoravir.epizy.com/vip722k_reset_button.pdf
    • http://sonarubitexo.atwebpages.com/60925822027.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000da3b.bin
b63f21d34d0102bf711bffa147e7b0fc36830a7e019a991a9a84c37011ec9b61		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA3B 5460 bytes
font_01_sfnt_off0000eccc.bin
55995f1a4847cfbb50ed80ebe31fa9868092b66bed1ac518d7d303821764036c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECCC 10748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.