Malicious PDF — malware analysis report

Static analysis result for SHA-256 baf997d98c07047d…

MALICIOUS

PDF

303.2 KB Created: 2021-05-18 23:49:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69c5fbee416b2b57e238eece1e1dad1b SHA-1: 512bd170b884e68ce5853cc153a45ec0c96b70ad SHA-256: baf997d98c07047dc72eb9c7403b3c64ebccf06a700d85206a7b5a20e655e05f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URI pointing to a suspicious domain, which is a common tactic for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. Although no scripts were explicitly extracted, the presence of external URLs suggests an attempt to redirect the user to a malicious site, likely for credential harvesting or further payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9899

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=data+mining+concepts+and+techniques+2nd+edition+pdf
    • http://robudodupuwa.iblogger.org/bon_iver_skinny_love_piano_sheet_music.pdf
    • https://xebanodax.weebly.com/uploads/1/3/5/3/135382800/44470176e7b163e.pdf
    • https://zaroralovez.weebly.com/uploads/1/3/0/8/130814195/6105318.pdf
    • https://zokuxupan.weebly.com/uploads/1/3/1/4/131412362/6a9cb869.pdf
    • https://static.s123-cdn-static.com/uploads/4385847/normal_5fe3f1a764486.pdf
    • https://mujoganik.weebly.com/uploads/1/3/0/7/130776873/dde9b90f1a.pdf
    • http://damisidituwupo.iblogger.org/xopopukepafa.pdf
    • http://wajagokigipato.iblogger.org/emboss_effect_photoshop.pdf
    • https://cdn-cms.f-static.net/uploads/4423430/normal_6067419aae3d6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/dc7953b7-e900-4bb8-8355-4b843c8cc083/puzanibisudijewija.pdf
    • https://s3.amazonaws.com/jiwisi/sevewebepalan.pdf
    • https://uploads.strikinglycdn.com/files/5abbcf8c-5c74-4817-9d2c-6097e7c6bb84/50712817170.pdf
    • https://uploads.strikinglycdn.com/files/34b1c1de-cd21-4256-8775-7133063f577b/the_green_mile_racism_quotes.pdf
    • http://ribaxexumipo.rf.gd/wugobafako.pdf
    • https://uploads.strikinglycdn.com/files/d6f67b65-4f11-4f84-a147-a4f6737e0f56/lemitajoziz.pdf
    • https://uploads.strikinglycdn.com/files/ce106fcc-b9b7-40d2-a67e-c33c07596c3a/simple_song_to_play_on_bass_guitar.pdf
    • https://uploads.strikinglycdn.com/files/07706f2e-28ad-4006-891c-0c1d0bc6356d/71640498325.pdf
    • https://uploads.strikinglycdn.com/files/1c8deccb-e3fc-4de7-a875-a224b17645f6/vawojilipuxefudomot.pdf
    • https://uploads.strikinglycdn.com/files/e93e8ff7-d875-4dc4-8b99-2900956385f5/2000_chevy_s10_service_manual_free_download.pdf
    • https://uploads.strikinglycdn.com/files/f894ae04-6aba-411f-accc-3c4585cd1e53/is_harry_potter_good_for_a_6_year_old.pdf
    • https://s3.amazonaws.com/petikamov/55092398687.pdf
    • https://uploads.strikinglycdn.com/files/12484d2b-3ba0-4806-9c9b-30c575534e36/78881306992.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00045778.bin
c96dd9cc856c975d468c4c8c12e7045690f127de448a3699e0d27dd8bd2e224e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45778 5696 bytes
font_01_sfnt_off00046abe.bin
905ee2455c5622a700ecf6f79fc938416cdadff3aba4c5f2c3baaf9e0d9373df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46ABE 16568 bytes
font_02_sfnt_off000498e2.bin
2173a1880e9f774f759393e7d0d28dda91d04d8a3eae6bea41b822770b343b90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x498E2 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.