Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf8d9c595c9a82dc…

MALICIOUS

PDF

74.8 KB Created: 2021-03-22 20:12:36 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3767bb74cdbee8ccd9af3fd190f5276d SHA-1: d1a2fd8a0f11b9d216d069c11122a65dcaf9f59d SHA-256: bf8d9c595c9a82dc2bd44a1da19498e27ee8421b216920f08e39650768e1637e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of external URIs, specifically 'https://ponafet.ru/123?utm_term=fitted+sheets+online+australia', suggests it is likely a phishing lure or a downloader for further malicious content. Although no scripts were explicitly extracted, the PDF structure and heuristic firings point towards a malicious document, potentially leveraging embedded JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=fitted+sheets+online+australia
    • http://tradebot.space/befojikujutocvrm8.pdf
    • https://cdn.sqhk.co/jogekiluse/ijE4ljc/monstera_plant_cutting_in_water.pdf
    • https://cdn.sqhk.co/vovewotutal/gejgjdI/34616334566.pdf
    • https://cdn-cms.f-static.net/uploads/4403260/normal_6011f177ee93a.pdf
    • https://cdn-cms.f-static.net/uploads/4479916/normal_5fd734aa8a26c.pdf
    • http://electrumwallet.buzz/74976972644hy260.pdf
    • http://meriline.store/2003_jeep_liberty_fuse_box_layoutirirp.pdf
    • https://cdn-cms.f-static.net/uploads/4450347/normal_601bfe68a4724.pdf
    • https://cdn.sqhk.co/lepavenujal/ptJoicJ/fejudadiruxogaman.pdf
    • https://cdn-cms.f-static.net/uploads/4451565/normal_603db8baa2e93.pdf
    • http://repochka.site/belt_and_road_initiative_for_win_winmgg8p.pdf
    • https://cdn.sqhk.co/letarezetap/BgfBgji/jidetur.pdf
    • http://game-pro.xyz/899817281098tapd.pdf
    • http://voirlo.xyz/90445112692kmc5c.pdf
    • http://pinipuvazus.22web.org/deguwevevupagajixo.pdf
    • https://cdn-cms.f-static.net/uploads/4464865/normal_60392c9b30376.pdf
    • http://sollabs.xyz/41902300080e4gv1.pdf
    • http://autolombardpro.ru/tascam_cd-rw900mkii_professional_rackmount_cd_recorder_playerhru6s.pdf
    • http://datujizid.iblogger.org/collocation_information_in_marathi.pdf
    • http://xajoraxi.22web.org/beledoxunuvutem.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://167c2301-eccc-4e3a-a609-38a4f17b9bf8.filesusr.com/ugd/b1dabf_3d99185a093d4600994123c5658497b9.pdf?index=true
    • http://buletamapa.rf.gd/whats_the_advantage_of_tidal_power.pdf
    • http://dapuseda.rf.gd/dedufimewasofi.pdf
    • https://9cf93ecd-64ee-4ad6-afcc-f350577a7522.filesusr.com/ugd/c4dbd3_06c6d67e287645d1b4720983b3af6e30.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eabf.bin
b951b61e2196892391be6cfdd21601fea6553eb4eb307d6cdd8e8f32a741dffe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEABF 4868 bytes
font_01_sfnt_off0000fb42.bin
fd8c4473998b9f99ea54a0689da602337ac1934ce2752289743783bd83af8fd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB42 10096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.