Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d89ef191af0f4a1…

MALICIOUS

PDF

96.2 KB Created: 2021-04-22 09:27:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f2cb3dc3845588706a85ec24ff426720 SHA-1: 9c4c25352543e60c98038a8b0e9e072147edabac SHA-256: 9d89ef191af0f4a1a483dc59f7c43897e11494df87087d2c3ae6ba7b5b0cc350
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to a suspicious domain, likely intended to redirect the user to a phishing or malware distribution site. The PDF structure and embedded content suggest it's designed to exploit users through social engineering, possibly related to the 'fanuc cnc programming language' lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gimoguvi.ru/strik?utm_term=fanuc+cnc+programming+language
    • https://cdn.sqhk.co/xonipavu/dLCahhg/15230012548.pdf
    • https://static.s123-cdn-static.com/uploads/4446374/normal_5fce740718ba1.pdf
    • https://cdn.sqhk.co/nuvurero/rFNijjj/vitekivanukokutu.pdf
    • https://cdn-cms.f-static.net/uploads/4387567/normal_60667642dc6f7.pdf
    • https://cdn-cms.f-static.net/uploads/4485450/normal_602aa963507c5.pdf
    • https://cdn.sqhk.co/zukasedu/jdjbmEV/rescue_911_tv_show_streaming.pdf
    • https://cdn.sqhk.co/wugolekufo/4idpN5S/molewixeju.pdf
    • https://cdn.sqhk.co/nozalodugavi/idhdijD/disposal_of_asbestos_sheets_uk.pdf
    • https://cdn.sqhk.co/wawabosamugo/fhdjerL/bazigofubevetunade.pdf
    • https://cdn.sqhk.co/kozutani/pgd2jjI/a_remarkable_beetle_mini_ielts_reading_answer.pdf
    • https://cdn-cms.f-static.net/uploads/4469119/normal_6040015c5d898.pdf
    • https://cdn.sqhk.co/lerapuraroke/hatn0ih/fire_emblem_hero_mod_apk.pdf
    • https://static.s123-cdn-static.com/uploads/4459034/normal_5ff6686f35239.pdf
    • https://cdn.sqhk.co/tijatabov/iJWoggg/xenolifipaliluf.pdf
    • https://cdn-cms.f-static.net/uploads/4369165/normal_60354d4f20015.pdf
    • https://cdn-cms.f-static.net/uploads/4444356/normal_606129de7c388.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://biwejanare.rf.gd/kurisab.pdf
    • http://zuzimekot.rf.gd/238015756.pdf
    • http://lazazowoj.epizy.com/biguxuvuzevijukefutov.pdf
    • http://ranovisodada.epizy.com/fopuvetununudegub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000114f0.bin
f7544b7057002509627d79a0531fb86ca0cd48fffeb7f7b8d35770204cce26ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114F0 4016 bytes
font_01_sfnt_off0001231b.bin
3377b5f0446aba41ecf1cad7434a216f7bede70bc60d9ee259110d2bc3cb0a58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1231B 5028 bytes
font_02_sfnt_off00013424.bin
a8c3f4a7d21f0405e6f7487de0860e01181f7afb0328789f71a14c3ac88b1694		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13424 11752 bytes
font_03_sfnt_off00015c54.bin
3afbc95f4a2677bf4c8b77bd7df62e4dbeb651db4b5e482cf97b58e472170d58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15C54 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.