Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9e370f1db53cb91…

MALICIOUS

PDF

85.6 KB Created: 2021-04-03 11:28:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fac4a1ed41308999bccfaac0bae7f918 SHA-1: d4e7371f0c3b6bc253cb70034f452547525d3d62 SHA-256: b9e370f1db53cb91aa506c10349bd7cc52d5821e1963aabea229fd32b9d02d01
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded URLs, particularly 'https://zajinet.ru/wix?keyword=punjabi+bujartan+with+answer+pics', suggests an attempt to redirect the user to a potentially harmful site. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/wix?keyword=punjabi+bujartan+with+answer+pics
    • http://boomerangoo.site/98684882266sfgbf.pdf
    • http://zhk-rekord.info/94396132815xp2ud.pdf
    • http://jelolizabuvixi.22web.org/class_12_zoology_practical_book.pdf
    • https://static.s123-cdn-static.com/uploads/4417992/normal_5ff27a224399c.pdf
    • http://dfwshootersupply.com/272802238862fj5t.pdf
    • http://cherrypimp.online/julosuvekm7pjv.pdf
    • https://cdn-cms.f-static.net/uploads/4490739/normal_603e8e5ce1db9.pdf
    • https://cdn-cms.f-static.net/uploads/4457563/normal_60617651e081c.pdf
    • https://static.s123-cdn-static.com/uploads/4367294/normal_5ff28436740c9.pdf
    • https://static.s123-cdn-static.com/uploads/4451377/normal_5fcaea326b38c.pdf
    • http://changepass.online/ukulele_strumming_patterns_4_4d4fg6.pdf
    • http://gratoraama.website/pccf_odisha_full_formzpcex.pdf
    • http://wajufogisabo.iblogger.org/3824725423.pdf
    • http://cashtanks.fun/251459499141noi4.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • http://www.daltonmaag.com/
    • https://4c2674ec-1430-4cec-a455-d6a35d10586e.filesusr.com/ugd/38955b_5dfb4bd9d33c446690df0ee8b5e385fe.pdf?index=true
    • https://uploads.strikinglycdn.com/files/42f1777d-af31-44cf-82a3-7a84354e4163/61336012203.pdf
    • https://uploads.strikinglycdn.com/files/b114520f-e65b-4154-a494-42870626166c/hbs_800_driver_windows_7.pdf
    • https://39c1d623-eccb-4af0-a86a-15328a2d61f9.filesusr.com/ugd/3cb6cb_eead4c301354447aacdaa565236c24a9.pdf?index=true
    • https://7211abc3-b26e-437e-abd8-8a8c7ebd4af5.filesusr.com/ugd/0683fb_0e76e1e8d04745ecac4a8f4d207d8f01.pdf?index=true
    • https://uploads.strikinglycdn.com/files/859e8346-2dac-450d-b83d-88db705a3562/latotemiditenizuvidaj.pdf
    • https://uploads.strikinglycdn.com/files/28cbbbff-ab03-4f9d-bf9b-eb55be4c6622/what_degree_is_needed_for_a_public_administration.pdf
    • http://nodibuxirojijok.epizy.com/pukowujakenuvat.pdf
    • https://6d0c6d30-55b9-4b7f-8145-34d11b484ddf.filesusr.com/ugd/8db56d_c0a8214dfb1d4057ade471b0c9a9d8bf.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d1f8.bin
af845aac2bd789cc0bf11dd270ca5edb0273516011372a8322af5c6eebecf1bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD1F8 5068 bytes
font_01_sfnt_off0000e335.bin
1b520bbce79d38417e5cc212f748bc0af6a065c4a4d7dd233b9a7710cbea9198		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE335 6428 bytes
font_02_sfnt_off0000fa1c.bin
1e5687b4a6aca64fe823a3427c1e56dfe348c0d9755254c339d1e75eba983f43		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA1C 9524 bytes
font_03_sfnt_off00011a1f.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A1F 4324 bytes
font_04_sfnt_off00012820.bin
600dbe5a4effe4bf7d3ce74dce0bd60fe5fb360ff00210d78392ed0950bc6580		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12820 10060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.