Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba47f3d5e4d4de3c…

MALICIOUS

PDF

88.9 KB Created: 2021-03-15 15:33:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 89cf55e49cc15cc06f8815efb26c1f8c SHA-1: e14e38f6053a4d6a06521c5da3636520d54a7d38 SHA-256: ba47f3d5e4d4de3c17cb7766c05e967625dd3d30764e795384ac4a852aa52215
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for an external URI pointing to a suspicious domain, which is likely part of a phishing attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were extracted, the presence of an embedded URL suggests the document's purpose is to redirect the user to a malicious site, likely for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jacksth.ru/strik?utm_term=fisher+price+snugabear+swing+recall
    • http://wovegibexakebof.iblogger.org/contrato_de_arrendamiento_de_vivienda_traduccin_en_ingles.pdf
    • https://static.s123-cdn-static.com/uploads/4469841/normal_5ff5a65a2bc27.pdf
    • https://cdn-cms.f-static.net/uploads/4467561/normal_600bd08e7581d.pdf
    • http://pirewarekow.mywebcommunity.org/sandisk_clip_jam_file_system_error.pdf
    • http://xadazobisisim.scienceontheweb.net/61623951851.pdf
    • https://cdn-cms.f-static.net/uploads/4470389/normal_600f314ca7442.pdf
    • http://jizimawaguda.22web.org/ireport_tutorial_sql.pdf
    • http://wemuwetafivaxe.sportsontheweb.net/87035854624.pdf
    • https://static.s123-cdn-static.com/uploads/4465694/normal_60098ba0269c9.pdf
    • http://kifopelidito.mypressonline.com/cules_son_los_sntomas_de_pncreas_inflamado.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • http://www.daltonmaag.com/
    • https://5c71d6b4-13b5-43a2-97a4-9a0eba4d0f4d.filesusr.com/ugd/0f1814_a6e96f3be576460b86cc0d66dcceba28.pdf?index=true
    • http://tojikesopi.rf.gd/al_quran_free_software.pdf
    • http://tasokapivodi.epizy.com/jorozomejokusidowa.pdf
    • https://53002a68-e35f-4167-ac88-1ab9777d7e72.filesusr.com/ugd/f5bc2a_85412ad394d3428bac50b4b52ad64c65.pdf?index=true
    • http://simipibenafar.epizy.com/waxutikuzedesovaw.pdf
    • https://2d841ef3-a248-4e6a-996b-2d54d6713fdd.filesusr.com/ugd/1decf9_944db0dfb2714d95b72685c5546aa16a.pdf?index=true
    • https://f8340159-69ce-4309-ac43-521e9a8475b4.filesusr.com/ugd/bc0b97_bab80cae5f254200a81433f666c99662.pdf?index=true
    • http://demajipo.rf.gd/42897310017.pdf
    • https://55f5e71c-5f54-469f-9449-301c43944234.filesusr.com/ugd/bbdb65_4ad0dadb708041e4bd4ca6c7e72e3bfc.pdf?index=true
    • https://ce83042b-5faf-46b5-bcbb-9b4d05ec7d33.filesusr.com/ugd/a31856_da1afc906cfb4f38943f458a58ee45d1.pdf?index=true
    • https://ec679cc6-872a-45a8-b2fd-b1bc8f6ddb77.filesusr.com/ugd/d1d005_fe3bc7c67f464c95b92c3df8dd5a092b.pdf?index=true
    • http://ralewawixofax.epizy.com/how_much_does_it_cost_to_install_a_heating_system.pdf
    • http://pimizebogo.rf.gd/77845958105.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7d6.bin
721cc2fdd3dc595dcb3ceb283710897e6e3f946895107a6db3eba0a731c1121f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE7D6 5684 bytes
font_01_sfnt_off0000fbb3.bin
85218aa3ed26c39fe6b427e498c3456d16fe1edb3bc94a70924567dcd9cbc4f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFBB3 5072 bytes
font_02_sfnt_off00010ce2.bin
593a452f0795506ac97007ad32b21767cc543cb1bc716fd74108abb5279d52e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CE2 6640 bytes
font_03_sfnt_off00011e80.bin
57805f9a2a9680b09f504b8a9a0681a617b1867f6495c161c7ffb99747c46158		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E80 11624 bytes
font_04_sfnt_off0001456b.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1456B 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.