Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf48107478a02d1f…

MALICIOUS

PDF

78.0 KB Created: 2021-03-19 15:39:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b569e5187bced36e52f37e0bf45ea353 SHA-1: 50d61dfa512ce4aaaff9349ee93805ec77fea343 SHA-256: bf48107478a02d1ff8f11cd017951a6e1493511811a22c5b675821a5a226965c
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. The 'SE_CLICKFIX' heuristic indicates social engineering, instructing the user to press Win+R or paste a command, which is a common tactic to bypass macro restrictions and execute arbitrary code. The embedded URL likely serves as the initial point for downloading a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://lozipotod.ru/123?utm_term=apex+update+not+ing
    • https://cdn-cms.f-static.net/uploads/4371272/normal_5fdafdb4e8cad.pdf
    • http://instasavephoto.com/84814089079x8tot.pdf
    • http://gukapeb.iblogger.org/child_info_form.pdf
    • http://towajemikof.iblogger.org/calcium_content_of_foods_chart.pdf
    • http://mists.space/2121872867r99e2.pdf
    • https://static.s123-cdn-static.com/uploads/4374380/normal_6003ed00cf6f2.pdf
    • https://static.s123-cdn-static.com/uploads/4365655/normal_5ff0dd37da912.pdf
    • http://disojunis.iblogger.org/seja_assertivo_livro.pdf
    • http://giftcard-sale.store/wenijividupale6zf0c.pdf
    • https://cdn-cms.f-static.net/uploads/4393900/normal_6050fc280a814.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/370d2c7e-56b3-4dc9-ab74-c98593fb0805/how_to_learn_stock_market_trading_india.pdf
    • https://uploads.strikinglycdn.com/files/19278931-99cc-4773-b0f8-3f753789e0a7/76426272174.pdf
    • https://uploads.strikinglycdn.com/files/44029d32-a745-41d4-aac0-602de8964833/car_air_conditioner_condenser_fan_not_working.pdf
    • https://uploads.strikinglycdn.com/files/5ed7c2e7-193b-475e-b6f6-71fbdb0486ab/viper_remote_start_error_manual_transmission.pdf
    • https://uploads.strikinglycdn.com/files/170fb40f-96d7-4cf7-b7b9-cc00b8daf8be/22552679598.pdf
    • https://uploads.strikinglycdn.com/files/0f3e4324-9a3f-4de8-bfd1-4f9c1c708233/24726295070.pdf
    • http://rokidibamufoduv.epizy.com/jubitemizukeboxukijad.pdf
    • https://uploads.strikinglycdn.com/files/8915c6e2-efea-48cc-afdb-41f81c8995d2/how_to_connect_hp_officejet_pro_8600_plus_to_mac.pdf
    • https://uploads.strikinglycdn.com/files/c0d75f86-25dc-4e65-905a-cb6a3a1b91ca/srimad_bhagavad_gita_gujarati_audio.pdf
    • https://uploads.strikinglycdn.com/files/f3e3f19a-7295-4cd4-a23b-f5dc9628cf30/xukefamisas.pdf
    • https://uploads.strikinglycdn.com/files/ec62f289-9e86-4abd-8bf4-45c776074b76/is_graco_snugride_snuglock_compatible_with_click_connect.pdf
    • https://uploads.strikinglycdn.com/files/6204ef52-3ff6-40d3-8fe9-3b25bd680720/86674233154.pdf
    • https://uploads.strikinglycdn.com/files/632dd317-99f5-46e8-b3e7-b938e4f859ca/the_lion_and_the_mouse_story_sequence.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e550.bin
10beb3bbb10e347839d78e24bd6d3eace8fc0a676c55850c43f5e7a31189ac5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE550 4760 bytes
font_01_sfnt_off0000f599.bin
641295948963c93068c1f765dbd70e52c7383fe3687f629c1155442a73cd5cb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF599 11124 bytes
font_02_sfnt_off00011b69.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B69 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.