Malicious PDF — malware analysis report

Static analysis result for SHA-256 99560463657e0e84…

MALICIOUS

PDF

90.3 KB Created: 2021-03-17 16:59:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 814d9729cd2ebb4904179a18b35b6995 SHA-1: 2a948b91027a1c42768e416be509413269c541d7 SHA-256: 99560463657e0e843240a5ae90a8cf0eb5594136d3d9b60c1f5e93de5c37870b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. The document body, though partially corrupted, suggests a lure related to camera settings, directing users to a suspicious URL. This URL likely serves as the initial point of contact for a phishing campaign or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=how+to+set+nikon+d5100+to+video+mode
    • https://static.s123-cdn-static.com/uploads/4374682/normal_5ff1dd99c5765.pdf
    • http://creditpm.com/25318663303gunip.pdf
    • http://gufufisazikoja.iblogger.org/19550916775.pdf
    • http://foyou.store/vobifojosoln6ovb.pdf
    • https://cdn-cms.f-static.net/uploads/4416319/normal_603b0a6b2f5b6.pdf
    • http://rutidewebatodug.iblogger.org/44679039153.pdf
    • http://vizit.store/3251761458682uum.pdf
    • http://tajasilikiw.22web.org/sorexa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://4465b75e-e642-4f53-8c89-e22f0b9d4994.filesusr.com/ugd/ecd213_6057e0b8288e4ea196cc6798166de69c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/361ecfdb-a5d4-4da6-bd54-ee0b6ccc97be/the_importance_of_being_earnest_movie_reviews.pdf
    • https://75ca6b5e-a470-4e0e-8004-b00a9f1721b4.filesusr.com/ugd/1e4819_0fce1b514fa14ddaa24eefdd66c947dd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1cc44b7c-e4c7-4e48-89d7-f8d509c0ff09/tewitesoxabotefadekulu.pdf
    • http://nepumunu.rf.gd/supercapacitors_applications.pdf
    • https://uploads.strikinglycdn.com/files/2bdb8566-a991-4ef0-957b-b4c75edbf00d/farmall_super_c_3_point_hitch_conversion.pdf
    • https://ac734925-007a-49fa-9a6b-2340142042ec.filesusr.com/ugd/ea78e0_18cab7b484e84ac3973f8d8680b0a7cc.pdf?index=true
    • https://b3d988c2-7a7d-4c3c-9141-221b6550481e.filesusr.com/ugd/9dda13_2634279e1433489cb6ef869df08a66c0.pdf?index=true
    • http://natetakadax.epizy.com/buzevevixevasogigosera.pdf
    • https://6d706a39-1f93-4f1a-9423-caccf7e65e71.filesusr.com/ugd/69f91f_bb752597d36545959cfd4551c0444511.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e2de8e3c-93fa-40bd-8fda-5f124f8acc96/what_is_the_latest_edition_of_api_653.pdf
    • https://uploads.strikinglycdn.com/files/1a1ffcbd-ffb3-4307-b7ed-6197302bec72/nekaxekedoxu.pdf
    • http://wivowutone.epizy.com/5208964641.pdf
    • http://sidiwen.epizy.com/dufamutaxuwemejefojezatog.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012522.bin
f542a41fa3c32a4110acf2945dcffb402d666f8a7ee3c43d66c7e455ee39ee8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12522 5128 bytes
font_01_sfnt_off000136ad.bin
ecb26073acbc299b6348530428add889c65e005d1ad89f45294e6eb85d15b9a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x136AD 10884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.