Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9fe39cfc369023e…

MALICIOUS

PDF

77.5 KB Created: 2021-05-24 17:41:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e61a2f74e3a9b069c65dbc3f088ebf17 SHA-1: d52193b2f8eb651243cbf24900e5e5a6f05510b3 SHA-256: a9fe39cfc369023e180dd7b1b7375ee2fe9d3d90b96ab3cda2157041613b0b72
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely used to deliver a secondary payload or redirect the user to a phishing site. The document body, though heavily obfuscated, contains text related to 'exothermic reaction', suggesting a lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/strik?utm_term=exothermic+reaction+used+in+everyday+life
    • https://cdn-cms.f-static.net/uploads/4487206/normal_6035617f339f6.pdf
    • https://cdn-cms.f-static.net/uploads/4418167/normal_5fd7af4c724b4.pdf
    • https://cdn-cms.f-static.net/uploads/4486200/normal_602369864c5b1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/liguwubore/24278979960.pdf
    • https://uploads.strikinglycdn.com/files/add9cd1d-388e-4a22-8163-222094390bdf/best_ar-15_upper_receiver_vise_block.pdf
    • https://uploads.strikinglycdn.com/files/e4d9a1af-77d0-4d0a-8660-8a8607540435/28555513371.pdf
    • https://uploads.strikinglycdn.com/files/471c35a6-3f99-42d0-bc28-39b15ac57f6a/brother_electronic_knitting_machine_patterns.pdf
    • https://uploads.strikinglycdn.com/files/14fdce92-fcea-42c0-a55a-268b441c0597/10701321639.pdf
    • https://s3.amazonaws.com/woberiz/widebumovanuli.pdf
    • https://uploads.strikinglycdn.com/files/98b44bd0-1cd1-488b-ae00-2a845f650190/mt-8200-60-kit_intellitone_pro_200_lan.pdf
    • https://uploads.strikinglycdn.com/files/f08e947e-905f-4213-a366-5a81eeb89b73/43353339908.pdf
    • https://uploads.strikinglycdn.com/files/2ed3d598-c6d5-47f3-89e7-6592d9422922/42242963927.pdf
    • https://s3.amazonaws.com/pizexopenaxu/vuraviteke.pdf
    • https://uploads.strikinglycdn.com/files/389b5cba-95d9-48dd-abcb-3530e0285b8b/in_a_dark_dark_wood_full_movie_release_date.pdf
    • https://s3.amazonaws.com/vovuzize/90114845198.pdf
    • https://uploads.strikinglycdn.com/files/ff11b8bb-8ccd-4361-8841-80f97fde621c/blackrock_find_your_future_forum.pdf
    • https://uploads.strikinglycdn.com/files/fc653e7e-f7d6-4378-926c-33ffd61fb1a6/what_is_initial_velocity_in_physics.pdf
    • https://uploads.strikinglycdn.com/files/08c7473f-30d9-4331-ba51-4e7a34f287ce/english_course_book_for_beginners_free_download.pdf
    • https://uploads.strikinglycdn.com/files/02c62075-ce3a-4690-81bd-bf4258607ef1/10745743823.pdf
    • https://uploads.strikinglycdn.com/files/380661f7-412a-4faf-ae1b-0e842abb5f74/44995878110.pdf
    • https://uploads.strikinglycdn.com/files/8d69c520-d885-4504-81f4-980fe00c4234/dabekex.pdf
    • https://uploads.strikinglycdn.com/files/548699b2-3a3d-48f2-b9ad-295c06e05c6a/how_to_add_more_than_2_buttons_on_wix.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000edd2.bin
151b90ebe7aedad2c19c7d1791f1ee2066b97c754c4353325935e55998ba7ca8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEDD2 5448 bytes
font_01_sfnt_off00010040.bin
b9b8c8e45146b4031d42f77e83e7acb247584c05425460da93a82181a9726dad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10040 11808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.