Malicious PDF — malware analysis report

Static analysis result for SHA-256 af0bae9ba716044a…

MALICIOUS

PDF

78.0 KB Created: 2021-03-06 19:54:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2b3d2d4fcf7892c97dee91facb0da787 SHA-1: 5b75579e470cc0995afa7158f106a5c0edaf18c7 SHA-256: af0bae9ba716044aeba1084bc5f176d4a580c4edff6112ea0243e596925e6bf9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, identified by heuristics as an external URI and flagged by ML classifiers and ClamAV as malicious. The document body, though heavily obfuscated, appears to reference product reviews, suggesting a phishing lure. The presence of an external URI indicates an attempt to redirect the user to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=dyson+ball+vacuum+cleaner+reviews
    • https://cdn-cms.f-static.net/uploads/4454055/normal_6035d9637b84d.pdf
    • http://zanodopowe.sportsontheweb.net/mpc_essentials_no_sound.pdf
    • http://vijexibat.mywebcommunity.org/craftsman_dovetail_jig_review.pdf
    • https://static.s123-cdn-static.com/uploads/4473954/normal_5ffa2b43c9dba.pdf
    • https://cdn-cms.f-static.net/uploads/4403119/normal_5fd1720ee0d4e.pdf
    • https://cdn-cms.f-static.net/uploads/4470412/normal_60321f824ad45.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/57ff89bb-691e-4f82-afd2-7d658398e3cf/nibufewabofigowuwi.pdf
    • https://uploads.strikinglycdn.com/files/2f4f96a9-aa36-4d2c-9230-3f5a14b497e1/will_a_smoothie_for_breakfast_help_me_lose_weight.pdf
    • https://s3.amazonaws.com/xeropizuwe/lions_hockenson_injury_report.pdf
    • https://s3.amazonaws.com/sebunuzu/les_barricades_mystrieuses_piano_sheet.pdf
    • http://jowokepo.atwebpages.com/mazav.pdf
    • https://uploads.strikinglycdn.com/files/e7bf2c2d-7c3b-485f-9724-39ef5364f34b/23551521186.pdf
    • https://s3.amazonaws.com/fotepopunaj/92810419976.pdf
    • https://uploads.strikinglycdn.com/files/57a83314-61d3-421e-a6e3-b785da8e57a7/ibn_arabi_ertugrul_quotes_in_urdu.pdf
    • http://vipojidetag.epizy.com/kixizafilifu.pdf
    • https://uploads.strikinglycdn.com/files/f29b7a36-d091-4dd6-8069-9ad7cf49f906/77811392818.pdf
    • https://s3.amazonaws.com/minegikukovel/nuvuxowovorosaselisixar.pdf
    • https://uploads.strikinglycdn.com/files/adec1c67-bcb6-4471-92d7-804cc7cc8995/learning_english_live_chat.pdf
    • http://kirigawegugava.epizy.com/nenudazilemejafawabo.pdf
    • https://uploads.strikinglycdn.com/files/d05340df-1096-45ea-9302-d6f52ec0895b/pivolafarad.pdf
    • https://uploads.strikinglycdn.com/files/674f1d9f-5c35-4f83-8acb-7f7b7b2616df/pci_reproducible_us_history_shorts_answer_key.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2d7.bin
b851dd4dfad25052a08a415f1230cfc49e2a55124582cd24ac5f6ae68d5c8a3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF2D7 5340 bytes
font_01_sfnt_off00010509.bin
555314164ca71d1435abf3cf9a65b4c0052242fe3d5fab2dea79400dc5dc04f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10509 11012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.