Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbfbc545108fa300…

MALICIOUS

PDF

107.1 KB Created: 2021-03-18 22:03:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 75fe0c9549c47fcba4f17abc25ef2f2c SHA-1: 935672f9242c4e64dcfa89d6b61cd5158b9eb72a SHA-256: cbfbc545108fa300871f6f8902702ecae3404ff336b1f31ca37fc18093a5079a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URL that directs users to a site offering a 'questionnaire template', likely a social engineering lure. Although no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=questionnaire+template+to+get+to+know+someone
    • https://cdn-cms.f-static.net/uploads/4407301/normal_60272e6b3653c.pdf
    • http://sevoxotedeki.medianewsonline.com/zamudebenomajiritejumifan.pdf
    • https://cdn-cms.f-static.net/uploads/4391009/normal_604d2a5fe7a60.pdf
    • http://tepifugamokeg.medianewsonline.com/winchester_model_94_30_wcf_saddle_ring_carbine.pdf
    • http://rixorevu.getenjoyment.net/aircraft_interior_design.pdf
    • https://cdn-cms.f-static.net/uploads/4489981/normal_60290ad03c96c.pdf
    • https://cdn-cms.f-static.net/uploads/4499300/normal_60357af0dfd15.pdf
    • https://cdn-cms.f-static.net/uploads/4423427/normal_60510b77dc577.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/geradi/monilurubapipufipure.pdf
    • https://uploads.strikinglycdn.com/files/26fa684e-40a4-482b-b6fd-41bc112fbd7d/dyson_cinetic_big_ball_animal__allergy_vacuum_cleaner_reviews.pdf
    • http://mosararivifu.rf.gd/weekly_huddle_agenda_template.pdf
    • https://s3.amazonaws.com/dopugaxelelema/write_formal_email_job_application.pdf
    • http://pudofekulud.rf.gd/54891847745.pdf
    • https://s3.amazonaws.com/farowug/16387910164.pdf
    • http://ragujaje.rf.gd/what_can_i_eat_instead_of_grains.pdf
    • https://s3.amazonaws.com/gebukil/62022928525.pdf
    • https://uploads.strikinglycdn.com/files/4d9640e8-8b34-451f-a1e2-5a9cc9cef901/computer_science_illuminated_6th.pdf
    • https://uploads.strikinglycdn.com/files/e7a2163f-fabf-42c3-94a1-7e729db12c4c/decision_tree_template_ms_word.pdf
    • http://velawomonoxejuz.epizy.com/dofexufuvusotawanenono.pdf
    • https://uploads.strikinglycdn.com/files/8151e08b-696a-41d0-a247-bd6b563b580d/74495066586.pdf
    • https://s3.amazonaws.com/juwofuxufijup/attack_on_titan_levi_past_movie.pdf
    • https://s3.amazonaws.com/wisuw/87646747003.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001668a.bin
a4767965f4b57f7a1b23b907709ad18ad1d82f4aabba9cbfed075bdb3fd645b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1668A 5356 bytes
font_01_sfnt_off000178bc.bin
e6d6d17a63481acd2b9243f0526052612b55074f06748439660a441dd70025ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x178BC 10584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.