Malicious PDF — malware analysis report

Static analysis result for SHA-256 baf5030ed5ba7cc2…

MALICIOUS

PDF

79.2 KB Created: 2021-03-02 13:37:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b1a492580ca83ff9c835ffc5eaed267b SHA-1: 5311ba3db3e9d89ad531c3d554cab97712969a59 SHA-256: baf5030ed5ba7cc2f285dc9707b55fa3a1e8b8fed33b39b2fd65f7d396cd0c71
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains an embedded URI pointing to a suspicious domain, identified by ClamAV as Pdf.Phishing.Trojan. The ML classifier also flagged this PDF with high confidence. The presence of an external URI suggests an attempt to redirect the user to a malicious site, likely for phishing or to download further malware. No scripts were extracted, but the overall structure and heuristics indicate a malicious intent to lure users via a deceptive link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/wix?keyword=zelda+like+flash+games
    • https://cdn.sqhk.co/pidefatop/GimMXii/29407695118.pdf
    • https://cdn-cms.f-static.net/uploads/4367667/normal_5fd3ca4c14be9.pdf
    • http://zeboxagekej.sportsontheweb.net/dalizerixuxawidowuxux.pdf
    • https://cdn.sqhk.co/fadejiweruw/raicijr/g-_stomper_flph_free_edm_123.pdf
    • https://cdn-cms.f-static.net/uploads/4407318/normal_6024a8f3b8358.pdf
    • http://wedipum.mygamesonline.org/zevegurav.pdf
    • http://rajukilodagoje.mygamesonline.org/does_family_take_a_singular_or_plural_verb.pdf
    • https://cdn.sqhk.co/gasariba/cGhhNQ8/gulumufugezagigenatenabi.pdf
    • https://cdn.sqhk.co/raxoxawupej/iPgdBjd/40277348186.pdf
    • https://cdn.sqhk.co/kelanadu/6vS4akb/used_car_sales_manager_jobs_near_me.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/bevarolimesale/play_naruto_online_free_no.pdf
    • https://s3.amazonaws.com/wetowuzuxit/13617537862.pdf
    • https://s3.amazonaws.com/wejuvono/eset_mobile_security_premium_apk.pdf
    • https://s3.amazonaws.com/xuxifuzituwu/calligraphy_workbook_free_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc0f.bin
6843215665258b3b2e2607e2ad4300cf2cf45560a56312c31567fbabd6a77eed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC0F 5244 bytes
font_01_sfnt_off00010dc9.bin
1393cc3607c42418d2bf4228fedc6dadd6113b54ee5924577518298311feabd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DC9 10176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.