Malicious PDF — malware analysis report

Static analysis result for SHA-256 b80f6422e7d7b2d4…

MALICIOUS

PDF

82.9 KB Created: 2021-03-23 04:46:10 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ca49bc05601454f64c13f482da644565 SHA-1: 95377ab4af3cb0cfa743525c72e8bb5689794f76 SHA-256: b80f6422e7d7b2d4c32def5d046b2898d0ca8eb74727a314cdc61906679e871e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF containing an embedded URI that points to a suspicious domain, identified by ClamAV as a phishing trojan. The ML classifier also flagged it with high confidence. While no scripts were explicitly extracted, the presence of an external URI suggests an attempt to redirect the user to a malicious site, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=plataformas+de+almacenamiento+virtual+pdf
    • http://asia.kiwi/53926594725guueg.pdf
    • https://cdn-cms.f-static.net/uploads/4479235/normal_601442e1ca0d0.pdf
    • http://instapriz365.online/chevy_ss_sedan_manual_transmission_for_salel5q30.pdf
    • https://static.s123-cdn-static.com/uploads/4375361/normal_60008245ea5a4.pdf
    • https://static.s123-cdn-static.com/uploads/4424683/normal_5fdf4b96f3622.pdf
    • https://cdn-cms.f-static.net/uploads/4370525/normal_602832f7eb9fc.pdf
    • https://cdn-cms.f-static.net/uploads/4470839/normal_602eba6f4c0f7.pdf
    • http://flowerport.store/what_are_the_bingo_callsgky7f.pdf
    • http://confirmyourverifiedbadge.com/chehra_hai_ya_chand_song_saagar_mp3_downloadt5nj8.pdf
    • https://cdn-cms.f-static.net/uploads/4423133/normal_6017b47c8b4ba.pdf
    • https://cdn-cms.f-static.net/uploads/4443803/normal_601cf9efe1847.pdf
    • https://static.s123-cdn-static.com/uploads/4366018/normal_5fe038e6d3d57.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fisuzes.epizy.com/harry_potter_8th_book_movie.pdf
    • https://ebd157e6-94c3-4ff5-b3ab-516f87acbde6.filesusr.com/ugd/e87473_1f43b16ff3334eb2b38f0c9d529b7640.pdf?index=true
    • http://lopitidelawexe.rf.gd/net_national_income_vs_gdp.pdf
    • http://topasirerawo.rf.gd/significado_de_uniforme_clinico_de_enfermeria.pdf
    • https://233b4d2f-9c44-4004-b776-098ebc281e6f.filesusr.com/ugd/7f980c_c035b641539640f9a4bb7274fd059671.pdf?index=true
    • https://c7f0abc7-d23b-482d-bd16-0771495bb668.filesusr.com/ugd/bb13a2_8cd051ee8ae345d8aeb140ff996fb7e5.pdf?index=true
    • https://d064ede3-316f-4d13-8ec5-014b2136b3bd.filesusr.com/ugd/154db6_626a5ed5a697405c8a3e6b9e158deae7.pdf?index=true
    • https://af431a04-9ebc-4ea4-a98d-45e4ffbfad14.filesusr.com/ugd/485053_7134bf9291f54cacb087ae644323e2e0.pdf?index=true
    • https://9fc80a0e-b25b-4135-afeb-9811a1ea6bf8.filesusr.com/ugd/91e123_263da8ac95ce4046af98365137441c96.pdf?index=true
    • https://fc06435f-e709-4c80-b59d-96fa470c1a13.filesusr.com/ugd/bdc04d_475ad35d5b00420486f2c79dfd87bdc9.pdf?index=true
    • http://dobevux.epizy.com/97891215396.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8e9.bin
af7c91893e13020d16c6334bf1f92c59070776e79bbc7cfacf8dfef5551b14aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8E9 5364 bytes
font_01_sfnt_off00010b18.bin
daad3f347a4f42f432ee9983e619a7c063e36761dba5934b469418034847e28e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B18 1800 bytes
font_02_sfnt_off000113a6.bin
3595a4fe4e41fbaefb6a4f02566b698d80a9cea89bab01b62c287c72a439d65e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113A6 12280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.