Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fa9a78462222d1e…

MALICIOUS

PDF

96.4 KB Created: 2021-06-10 07:02:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4aa271bc6a37cdd5b9242ba7dc6c4eaa SHA-1: 7232d40c2e4b998f8b57776c12e174ffa5af66fa SHA-256: 9fa9a78462222d1e1220c1b03ba94a6031668ea5ad45351b8cdf0f8e102329b2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URL pointing to 'medvor.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, and the presence of embedded artifacts like streams and fonts is typical for PDF exploits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/pbw?utm_term=khilafat+aur+malookiat+pdf
    • https://cdn-cms.f-static.net/uploads/4384164/normal_5fd24248d1e0f.pdf
    • https://cdn-cms.f-static.net/uploads/4484097/normal_5fd3887c214a1.pdf
    • https://static.s123-cdn-static.com/uploads/4367912/normal_5fe5c2962bcf7.pdf
    • https://cdn-cms.f-static.net/uploads/4369505/normal_6039f286380a7.pdf
    • https://cdn-cms.f-static.net/uploads/4480750/normal_6015de9d2a697.pdf
    • https://cdn-cms.f-static.net/uploads/4390051/normal_6047cb692c2d8.pdf
    • https://cdn-cms.f-static.net/uploads/4389352/normal_60609a2012c41.pdf
    • https://cdn-cms.f-static.net/uploads/4491723/normal_604467512c034.pdf
    • https://static.s123-cdn-static.com/uploads/4371240/normal_5ff75bdd25925.pdf
    • https://static.s123-cdn-static.com/uploads/4382405/normal_5feb8c4f8e7f5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://lebamojopa.pbworks.com/w/file/fetch/145010529/pobamugivobovanuf.pdf
    • https://uploads.strikinglycdn.com/files/a1d39c7e-9cc2-49cc-8a9e-cf4ffb948399/detawivonuzapogude.pdf
    • https://uploads.strikinglycdn.com/files/2bddc020-045f-4dea-9801-f50fa03541a9/sigma_400_bike_computer_owners_manual.pdf
    • http://liguduper.pbworks.com/w/file/fetch/144452562/licencias_para_eset_nod32_antivirus_2021_marzo.pdf
    • https://uploads.strikinglycdn.com/files/588ffb7d-ae4e-45cb-9463-c5a0183f1ee8/muwavukewuzalekasasulebu.pdf
    • https://uploads.strikinglycdn.com/files/2cae045f-f54d-40e7-8435-16c4aa3efe45/32701989179.pdf
    • http://tujolim.pbworks.com/w/file/fetch/144708207/tapivubezujajewijiz.pdf
    • https://uploads.strikinglycdn.com/files/6be80bc0-2697-4102-80d0-e66f632b2ac3/candide_voltaire_fiche_de_lecture.pdf
    • http://bopidix.pbworks.com/f/bileikler_ve_formlleri_7.snf.pdf
    • http://bovojigu.pbworks.com/w/file/fetch/144418011/wupamage.pdf
    • http://fudejob.pbworks.com/f/xodasaborefowedugivir.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00014e9a.bin
57697fd03cab7d6eae0172c1ccd918f04f1bb46fd6c3a3b3e08b859638c22823		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14E9A 21404 bytes
font_00_sfnt_off00011644.bin
974de824cf7ca53e04a08a5177a8ae0163f112274573c5f33fffa5cc410a168b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11644 5136 bytes
font_01_sfnt_off00012795.bin
df041edb9fd5e0db06a7d1be68cc3432ff99023b0ed266f8e3df5c5efef0e18c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12795 11844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.