Malicious PDF — malware analysis report

Static analysis result for SHA-256 b64947e71c83ad94…

MALICIOUS

PDF

96.4 KB Created: 2021-04-12 17:47:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 41612bab132a77786caaa8824cc5b09a SHA-1: 91763fbcf8267ebf7f2d38647d47134220d5f585 SHA-256: b64947e71c83ad9409c1fb37f7350c2482e9c660f11f947673c36ad76afc8b73
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as a malicious PDF by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The PDF contains an embedded URI pointing to 'https://ponafet.ru/strik', which is a strong indicator of a phishing or malware distribution attempt. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest it's designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=manual+despertador+sony+icf-c1
    • http://biggymstoe.com/103849748390jd7k.pdf
    • http://jumovuv.22web.org/forklift_operator_certification_near_me.pdf
    • https://cdn.sqhk.co/wuxaguzifep/dhgjiqT/underrated_kpop_boy_groups_2020.pdf
    • http://boost-shop.xyz/87221295862mwi7u.pdf
    • https://cdn-cms.f-static.net/uploads/4458852/normal_601444f040a7d.pdf
    • https://cdn-cms.f-static.net/uploads/4388426/normal_6011ecd45405a.pdf
    • http://rm-swis-mine.com/aec-_326ka2-_10w_manualsi5rm.pdf
    • http://zufonirawanowo.iblogger.org/jozadagadu.pdf
    • https://cdn.sqhk.co/kadukugobug/P1ZijjW/kujuvigarotog.pdf
    • http://mepanawabopod.22web.org/91753082852.pdf
    • https://cdn-cms.f-static.net/uploads/4421778/normal_605a25f70b3b6.pdf
    • https://cdn.sqhk.co/rezeribevi/dhiqgg1/vubipilujamejasekizebiv.pdf
    • https://cdn-cms.f-static.net/uploads/4490528/normal_6018a6b2e5c2b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.orgThis
    • http://www.fontrix.comhttp://www.nhncorp.com
    • http://zojexajori.epizy.com/dimilo.pdf
    • https://uploads.strikinglycdn.com/files/3a88ba7e-77eb-4131-85f1-e53ff9ede7f1/33884340960.pdf
    • https://16e729f2-8c5c-4787-b670-14aeba6c5e03.filesusr.com/ugd/ac55e2_6f08c9b42bac4e22b4badcd073d25ffe.pdf?index=true
    • https://44879a12-c10a-431c-a98a-7de142752d0f.filesusr.com/ugd/bb4607_3ffd25a72f1b49ba83de485016087b6d.pdf?index=true
    • https://a3cd4400-5fdc-4e6a-bda8-88556a2d4d1f.filesusr.com/ugd/2f7489_b714665d3e574f30a4f9a0bb0db6204d.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ecb43827-b36d-4a88-8645-b2f7b500dd3d/solid_state_physics_textbook.pdf
    • http://defisufinuriwo.rf.gd/6045116877.pdf
    • https://uploads.strikinglycdn.com/files/3038291c-b1a8-456d-b80a-13acbbaf7ada/favidikemolakepuvegeken.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://scripts.sil.org/
    • http://scripts.sil.org/OFLAbyssinica

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000facb.bin
512fa07264ce3e774f9f977f465e72e5bdeca9b2f49559a69f53fe7b9093873b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFACB 5340 bytes
font_01_sfnt_off00010d28.bin
16bdb5b01e60ccfe7118d2738b42dd54ad39e4f508f811d1e4a80db9ecb3475e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D28 20576 bytes
font_02_sfnt_off00012c0d.bin
ff79d2ef082ad429f3a8b11545c4b60b5ddc6d7cbc185244dbd92f827ca8fd44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C0D 2232 bytes
font_03_sfnt_off000135a4.bin
bbe0829ad9dd0212ee1b6c0b356aabc6daf339419363a2e5e2aec97403259aae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x135A4 12804 bytes
font_04_sfnt_off00015f35.bin
e978e4260013f6ec825a390d39c252d420d1fd0ebb98cd079e1ee40888700843		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15F35 6260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.