Malicious PDF — malware analysis report

Static analysis result for SHA-256 b71df4608de54228…

MALICIOUS

PDF

89.6 KB Created: 2021-03-18 16:05:12 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 553bb88a42121cb0631e33203bdd2597 SHA-1: df4f2154d89a997311215d44b61f69f733a5cd65 SHA-256: b71df4608de54228c969cdc94b12357ec399e5b766fd5ff9babddb4fa364e641
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as a malicious PDF by ML classifiers and ClamAV, indicating a phishing or trojan payload. The embedded URL `https://ponafet.ru/wix?keyword=pilates+premier+xp+machine` suggests a lure to a malicious website. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/wix?keyword=pilates+premier+xp+machine
    • http://salonly.xyz/photo_banner_app_free6gdht.pdf
    • http://leoidet.xyz/line_6_pod_pro_xyzwr8.pdf
    • https://cdn-cms.f-static.net/uploads/4366398/normal_600a679b3377d.pdf
    • https://cdn-cms.f-static.net/uploads/4377116/normal_604b91c12e91a.pdf
    • https://static.s123-cdn-static.com/uploads/4479213/normal_6000bab780ca7.pdf
    • http://mugukix.mygamesonline.org/76382318743.pdf
    • http://pozijuza.scienceontheweb.net/miss_peregrine_books_genre.pdf
    • http://nenavukatebofaf.22web.org/vufukolejujamixipefon.pdf
    • https://cdn-cms.f-static.net/uploads/4387430/normal_603eb5eb5096f.pdf
    • http://kuzososo.mygamesonline.org/85654536942.pdf
    • http://lnstagramcopyrightmanagement.com/how_much_do_you_get_paid_for_teach_first73vok.pdf
    • http://gemubanabugawa.mypressonline.com/tuzinigefuwifabibabolutu.pdf
    • https://cdn-cms.f-static.net/uploads/4464315/normal_6052bb2061a8f.pdf
    • http://romeita.space/128034416807tduc.pdf
    • http://rowowesofazov.medianewsonline.com/4406974552.pdf
    • http://kuliwajijet.22web.org/browser_terbaik_untuk_file_besar.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fuguzametekobo.myartsonline.com/a_dolls_house_movie_script.pdf
    • http://vubuzixefixa.onlinewebshop.net/ezdrummer_how_many_computers.pdf
    • http://rajowezurub.rf.gd/rufavujifi.pdf
    • https://uploads.strikinglycdn.com/files/9beb6dcc-0a94-403a-8525-f1e05a8a3e28/44344293910.pdf
    • http://tiwedozesa.atwebpages.com/number_theory_applications.pdf
    • https://uploads.strikinglycdn.com/files/32f66e44-971b-46b0-848c-46585195b7d8/nidepajuzebesidiwi.pdf
    • https://uploads.strikinglycdn.com/files/e2bb7bd5-3958-47e9-9920-6d5e5f4cde73/network_security_firewall.pdf
    • https://uploads.strikinglycdn.com/files/12c5efd9-03e0-477c-8e04-8b56ecf53885/33783200036.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecbb.bin
6edc550634920af42a5dc9e9c288554474cfce209a3f22d7f281e6e3946252c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECBB 8324 bytes
font_01_sfnt_off000108d6.bin
e6813845109df482e8c13695ee63f7df4dca8ea2b386299e0ba2e10b0a8957ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108D6 5240 bytes
font_02_sfnt_off00011a81.bin
1f1a0171d13ce734488d56635c1461f8002c83bb82336a78e4b1c3dbeed05c7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A81 11796 bytes
font_03_sfnt_off000142fb.bin
d7b44821a274b198650e478dfa15a3f6921d7a5f043aef9c433e5d3a9ddccc75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x142FB 16116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.