PDF static analysis report

Static analysis result for SHA-256 b357df3818b9c758…

SUSPICIOUS

PDF

64.4 KB Created: 2021-01-16 22:23:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: 436426de64c94d2b3d015c08940b22b1 SHA-1: 7a60a72c7693978d9d4d240eb5a8723a2c20c1f1 SHA-256: b357df3818b9c7582eacd7ed06c73b2fa2664637477476bac65e36fffecccdb9
36 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that points to a suspicious domain, identified by the PDF_URI heuristic. The ML classifier also flagged this PDF as malicious with high confidence. While the document body is heavily obfuscated, the presence of the external URI suggests an attempt to redirect the user to a potentially harmful site, likely for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/123?utm_term=yugioh+gx+duel+academy+romsmania PDF link annotation
    • https://site-1176201.mozfiles.com/files/1176201/nickfinder_nickname_generator_free.pdfIn PDF document text
    • https://cdn.sqhk.co/kenipafitu/cpKvijp/ecru_definition_food.pdfIn PDF document text
    • https://cdn.sqhk.co/pixafosabow/dgcifgi/flix_movies_mod_apk.pdfIn PDF document text
    • https://site-1176876.mozfiles.com/files/1176876/practice_sheet_balancing_redox_reactions_with_answers.pdfIn PDF document text
    • https://jurujixomegisi.weebly.com/uploads/1/3/4/7/134745805/ec52058a1c6.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4417998/normal_5ff3ccd6e62f6.pdfIn PDF document text
    • https://cdn.sqhk.co/dedejosewor/hhjjjha/rutumuxusidibujekul.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/fosawef/werewolf_online_apkmonk.pdfIn PDF document text
    • https://s3.amazonaws.com/goviwigax/moxuxepunebili.pdfIn PDF document text
    • https://s3.amazonaws.com/dukajevo/26978648797.pdfIn PDF document text
    • https://s3.amazonaws.com/sevoga/bernard_anselmetti.pdfIn PDF document text
    • https://s3.amazonaws.com/paxivogedewilu/xosuzuxasikepofaju.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bf94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBF94 5484 bytes
SHA-256: 17c84e7e0ed04668116c296a63e1983f149b4bf2a85acd9af56953c5a9eafc72
font_01_sfnt_off0000d221.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD221 10308 bytes
SHA-256: 3667418c48accc8d8e8e8787429185c430b571cef85b21c493106862fa794c7c