Malicious PDF — malware analysis report

Static analysis result for SHA-256 bbf367aa51fe372e…

MALICIOUS

PDF

70.9 KB Created: 2020-11-28 17:18:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e67c7dd87bae7fd9f18319bb2be72315 SHA-1: 5ccfd6c5ca4c815a0af11846c95f8249b0405959 SHA-256: bbf367aa51fe372e7beb7a7932048dcea13b29c51c026355bc29ae105a80c956
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. The embedded URL points to a domain that appears to be part of a phishing campaign, attempting to trick users into downloading further malware by posing as a manual for a 'Ring doorbell elite'. No scripts were extracted, but the PDF structure itself contains the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/strik?utm_term=ring+doorbell+elite+manual+pdf
    • https://cdn-cms.f-static.net/uploads/4444636/normal_5fa50adcdddd5.pdf
    • https://sisodiwitamusoz.weebly.com/uploads/1/3/2/6/132681746/sejozu-xajana-sitojunot.pdf
    • https://vujuzujotug.weebly.com/uploads/1/3/4/4/134478410/zuronavazuta.pdf
    • https://cdn-cms.f-static.net/uploads/4413707/normal_5f982e592d7f5.pdf
    • https://cdn-cms.f-static.net/uploads/4502439/normal_5fb4ffff26a1a.pdf
    • https://cdn-cms.f-static.net/uploads/4404105/normal_5fb254cdefa3e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/zeworibuzoza/jesoniwomewafasemipawak.pdf
    • https://s3.amazonaws.com/rilexazejuzovep/clip_india_app_song.pdf
    • https://s3.amazonaws.com/fapaga/carbon_fibre_properties.pdf
    • https://s3.amazonaws.com/dogazisuze/sql_server_datetime_format_codes.pdf
    • https://s3.amazonaws.com/wixanarer/runiguduxufom.pdf
    • https://uploads.strikinglycdn.com/files/c1a96c20-4b70-422f-ae1d-b742fae49b46/mosipolumotoxavote.pdf
    • https://uploads.strikinglycdn.com/files/b8650714-702c-4ccc-b4fb-9ebf3c60c2a2/objetivos_de_auditoria_administrativa.pdf
    • https://s3.amazonaws.com/xefejevife/augmentin_iv_form.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9c6.bin
d62bfe8c4940c917a0fa812fdf3b8b6bd20aeafbc178c3601b69e466948bc125		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD9C6 5328 bytes
font_01_sfnt_off0000ebd3.bin
a32afa0af9aba70f13aba0e52718f547140ae577f5d9ab87473759875d666ebf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBD3 10348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.