Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d8d093795f4b66e…

MALICIOUS

PDF

66.0 KB Created: 2020-11-25 07:35:43 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 09d0e3abf4798db20be4d8b88a75c919 SHA-1: d01201ec47e4ce1ae8b29960a79b95cced49c708 SHA-256: 9d8d093795f4b66e002d7e7a4110b958c757f5182282541c64ba28b8b303bed4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs users to a phishing page disguised as a guide for factory resetting an Asus laptop. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for credential harvesting or malware distribution. No scripts were extracted, but the presence of an external URI is a primary indicator of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/strik?utm_term=how+to+factory+reset+asus+laptop+from+bios
    • https://cdn-cms.f-static.net/uploads/4470207/normal_5fae911364057.pdf
    • https://cdn-cms.f-static.net/uploads/4367622/normal_5f8be27e7c9cd.pdf
    • https://cdn-cms.f-static.net/uploads/4366337/normal_5f8715fd84e9f.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/purufiz/anime_battle_1.8_unblocked_66.pdf
    • https://uploads.strikinglycdn.com/files/24f192cb-bbab-4d46-8bef-2cf04b3fdc40/zurub.pdf
    • https://uploads.strikinglycdn.com/files/fd60e120-8d45-4f84-881c-122154b86ca2/metric_mania_conversion_practice_basic_unit_answers.pdf
    • https://uploads.strikinglycdn.com/files/5fb639e0-1ff5-4017-bd78-e5d748e398c6/91357736737.pdf
    • https://s3.amazonaws.com/xupimaral/nasiligukigamotenuto.pdf
    • https://uploads.strikinglycdn.com/files/10506e55-5fad-4ab0-a4a4-40e9e1b9a7dd/71360345076.pdf
    • https://s3.amazonaws.com/baritexovopa/solving_algebraic_equation.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c827.bin
4717c7621e6e924177ca97ce98ff7918f0b769f896eea29ba1e8770361e83d48		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC827 5456 bytes
font_01_sfnt_off0000dab9.bin
fb757e2afb13139a4843862f7583d4cf7a494ef264f51c4321cafa9226bcfef9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDAB9 9500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.