Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf324162ada34e83…

MALICIOUS

PDF

81.8 KB Created: 2021-03-21 23:01:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 305285d882f0b8bac04984f56c5e4ed2 SHA-1: 821793b4c68483ba05443863f3823d4979331e40 SHA-256: cf324162ada34e8356a59d03a27859e0d98519d3e49a47d32af61505618be51a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic firing for an external URI pointing to a suspicious domain, and the ML classifier strongly indicates maliciousness. The document body, though heavily obfuscated, appears to be a lure related to a product manual, likely intended to trick the user into clicking the malicious link. No scripts were extracted, but the presence of an external URI and the ML detection suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=sunbeam+oskar+food+processor+manual
    • https://cdn-cms.f-static.net/uploads/4482424/normal_6033c296b7728.pdf
    • https://wazivako.weebly.com/uploads/1/3/0/9/130969042/falekixurajikato.pdf
    • https://static.s123-cdn-static.com/uploads/4489844/normal_5fe27cf803625.pdf
    • https://zitipijasidigor.weebly.com/uploads/1/3/0/8/130874434/8309297.pdf
    • http://closemaze.com/how_to_learn_english_conversation_easily50a82.pdf
    • https://cdn-cms.f-static.net/uploads/4420756/normal_600a4d642f60f.pdf
    • https://static.s123-cdn-static.com/uploads/4413227/normal_6000da14b352b.pdf
    • https://cdn-cms.f-static.net/uploads/4448100/normal_5fdc08834eabd.pdf
    • http://bobr.space/187955685301buvt.pdf
    • https://static.s123-cdn-static.com/uploads/4367656/normal_60051615e3197.pdf
    • https://lanuwoga.weebly.com/uploads/1/3/1/6/131637333/mowok.pdf
    • https://static.s123-cdn-static.com/uploads/4409254/normal_5fcbd4789eda7.pdf
    • http://domavera.ru/fikusibolotosesexubcxvwy.pdf
    • http://snail-case.store/rawlinsons_construction_cost_guide_free_downloadbyqel.pdf
    • http://odebayitrafikhizmeti.com/7658018910336kvu.pdf
    • https://cdn-cms.f-static.net/uploads/4414353/normal_6013d80b27f12.pdf
    • https://static.s123-cdn-static.com/uploads/4501204/normal_5feed34c458e0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vebogotexaf/elite_dangerous_horizons_combat_guide.pdf
    • https://s3.amazonaws.com/zumezeviwakiz/zerugekovekibopuponezivo.pdf
    • https://uploads.strikinglycdn.com/files/b8e0fc8d-5e45-4286-b0e6-2e172b1c1e08/39013996588.pdf
    • https://s3.amazonaws.com/fukezavazuj/joseganave.pdf
    • https://uploads.strikinglycdn.com/files/04d52e95-3797-40a2-b6b8-66f322f8d2e1/zazomoredaru.pdf
    • https://uploads.strikinglycdn.com/files/419e3d0c-541c-40e1-a9e3-0eb9c8b47848/she_stoops_to_conquer_novel.pdf
    • https://s3.amazonaws.com/wolawatin/jupebakomumekalidazo.pdf
    • https://uploads.strikinglycdn.com/files/5807cf5a-f489-41f6-a1f3-6285088485bd/82105267770.pdf
    • https://uploads.strikinglycdn.com/files/2d1f5aa9-349c-45dc-947c-645af104babe/67382686940.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fdc4.bin
aa80e7a6ba963feddeb6ecc6ad6bcbf77e739c850ab7cbb2230f96b1fcf60b31		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDC4 5608 bytes
font_01_sfnt_off000110c3.bin
13f70e7c6928da2d91df625f7617288671ee53e819bf2f43788a2cb7c49bb3a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110C3 11844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.