Malicious PDF — malware analysis report

Static analysis result for SHA-256 99bcf4d38fc12707…

MALICIOUS

PDF

85.3 KB Created: 2021-03-15 20:11:01 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 091fa0828f1116fc1aee39b48435fd3e SHA-1: 945815f874f305d0f34d82cf0d8ec3759ba02f08 SHA-256: 99bcf4d38fc1270772089f2692700d0ffa012b2b4aca86c359c311faf79c2959
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, identified by heuristics as an external URI and flagged by a machine learning classifier as malicious. ClamAV also detected it as Pdf.Phishing.Trojan. The presence of this URL suggests an attempt to redirect the user to a malicious site, likely for phishing or to download a secondary payload. No scripts were extracted, but the embedded URI is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/123?utm_term=plexiform+neurofibroma+icd+10
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8969002f-ecbe-4784-a4d9-2c96eb0fe103/how_to_turn_on_bluetooth_on_hmdx_speaker.pdf
    • https://s3.amazonaws.com/jugobimuraje/elton_john_border_song.pdf
    • https://s3.amazonaws.com/wemazun/xalop.pdf
    • https://uploads.strikinglycdn.com/files/1dd30acd-b2c3-4332-98fa-8e22b5db442a/social_maladjustment_meaning_in_english.pdf
    • https://s3.amazonaws.com/mesixadelomomo/rolesoguviwumiwow.pdf
    • https://uploads.strikinglycdn.com/files/3d1c36c7-5873-48a5-9831-6de9ab5fb9c1/vosudaxojurenenigifed.pdf
    • https://s3.amazonaws.com/nagudo/63203553533.pdf
    • https://99470c7d-c692-4648-a7b8-36ea19db2883.filesusr.com/ugd/ab059d_4b478e81095b4881bb2fe169b89a21fd.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3e335278-b379-4cb4-a220-27c5bf9089aa/how_did_the_cold_war_impact_latin_america.pdf
    • https://46ebecaa-9490-439b-bba6-ee77f1a6ca93.filesusr.com/ugd/cee8a1_d154154092114cee9b602f382b725346.pdf?index=true
    • https://s3.amazonaws.com/gapivegek/53276125287.pdf
    • https://6a421494-2577-4416-904f-e17348f56b63.filesusr.com/ugd/85e76a_db5ab7707efd401892eb31ca918858f5.pdf?index=true
    • https://fdb4f28e-c637-431f-967d-457feef73efb.filesusr.com/ugd/cf5aa9_59ebec4172ae4679bb2e227f37ca0de0.pdf?index=true
    • http://nafaloputazesoj.rf.gd/57011038611.pdf
    • http://mofuvenelopupo.epizy.com/bosch_serie_4_dryer_manual.pdf
    • https://uploads.strikinglycdn.com/files/cb3a7797-893d-44b4-a594-911f5bd19f3a/pefusabaxibamut.pdf
    • https://s3.amazonaws.com/tixeligufokup/dodafaga.pdf
    • https://a3c35cc3-4a3f-4d41-ab51-8b3e4b114d30.filesusr.com/ugd/2b25b5_030b1f7e849542f3b99d18bffe92340c.pdf?index=true
    • https://569961a5-e6b5-462d-8b38-7193d5e7b20b.filesusr.com/ugd/a37a2e_f0feaddfb6df4dfd9bc8d0355981e650.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010f0d.bin
1853753d4abfb1b2ebfdfb1a241eec9cc29a0d0186d4e7c7b3d4b0cc583ea3d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F0D 5392 bytes
font_01_sfnt_off00012150.bin
585e03f2669011404d646d83e5b6c0c157c44cfabaaac4ec6d51186708947e49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12150 11864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.