Malicious PDF — malware analysis report

Static analysis result for SHA-256 c9b8fa9eec1da835…

MALICIOUS

PDF

392.7 KB Created: 2021-03-29 03:24:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 869ffca6f8431397adaeaf939110286f SHA-1: be3f436d0e9251288345d22688383d5c8af7e6d3 SHA-256: c9b8fa9eec1da8356fca8f60b068a4dff1c81ca735c8888b1cc979fe4746c795
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged as malicious by ClamAV and an ML classifier, exhibiting characteristics of an advance-fee scam. It contains an embedded URI pointing to 'ponafet.ru', which is likely a phishing or malware distribution domain. The document body, though truncated and containing metadata, suggests a lure related to a 'white fang summary chapter 3', indicating a social engineering pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9321

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=white+fang+summary+chapter+3
    • https://noguvipeves.weebly.com/uploads/1/3/4/7/134717425/rinedikipozip_fizedodarilek.pdf
    • https://pegepefip.weebly.com/uploads/1/3/4/4/134455730/lesexonedoluju-zirukelenomur.pdf
    • http://zisuroto.mygamesonline.org/converter_to_word_freeware_download.pdf
    • http://jogajep.medianewsonline.com/taj_mahal_information_in_marathi.pdf
    • https://sutivekawexebe.weebly.com/uploads/1/3/1/6/131636655/6508798.pdf
    • https://wemadaxofopu.weebly.com/uploads/1/3/4/7/134752229/vizajiwu_dekaliv_zujete_gutudevalobi.pdf
    • http://xuforaxi.22web.org/pajisabipijuferunolid.pdf
    • http://memowelubi.mygamesonline.org/8341798284.pdf
    • http://pumorux.medianewsonline.com/93981869155.pdf
    • http://xajotupefaku.22web.org/69911700612.pdf
    • https://lukadivosegiga.weebly.com/uploads/1/3/4/6/134679105/fifemo_titituxukugesi_tojug.pdf
    • http://dosubodanes.mypressonline.com/lenifawipaxuf.pdf
    • http://gakukuketisalum.scienceontheweb.net/58158458739.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bejutamukedus.epizy.com/73549200335.pdf
    • http://duliwijedij.rf.gd/computer_hardware_and_networking_jobs_interview_questions_with_answers_in_hindi.pdf
    • https://uploads.strikinglycdn.com/files/80922d82-784c-466e-8233-2514be3ea6ff/jirene.pdf
    • http://lamujep.rf.gd/guvixabogevegozigujepim.pdf
    • https://uploads.strikinglycdn.com/files/835ee0a7-a509-4772-b07a-11b450719d66/maytag_top_load_washer_error_code_f5.pdf
    • http://mitijolazu.rf.gd/51747244052.pdf
    • https://uploads.strikinglycdn.com/files/0d354a99-1ff9-48a8-8bbd-6d53509120e9/what_is_50_shades_of_gray_based_on.pdf
    • https://uploads.strikinglycdn.com/files/8a5a015f-8e88-4de8-8556-e397c03e3c36/4234103784.pdf
    • https://uploads.strikinglycdn.com/files/356e8cce-2fbc-4eab-b16a-5b48b3eb9e6f/motorola_talkabout_t5720_user_manual.pdf
    • http://jilagikudi.rf.gd/batho_pele_white_paper.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005db91.bin
efa76c9b84b7366df7fee48faabd575fc02f97a16387cf2df450b5fed4701d0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DB91 5676 bytes
font_01_sfnt_off0005eed5.bin
be7d890f60f724a84a626b41a229c4c4e47427dca1c8d2eb4959a6d2d6cceb00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EED5 10424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.