Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0a34d9ca0d5d41d…

MALICIOUS

PDF

84.4 KB Created: 2021-03-28 18:15:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8d8c13f9db7cbd050db3f09f34759ce0 SHA-1: dc6396a7e71f7e6414018933f282f8a9ca31b917 SHA-256: d0a34d9ca0d5d41d5a69cb6b910a3362c4517409b4d09d46d5037b2b64792094
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URI pointing to a suspicious domain, identified by heuristics as an external URI and an embedded URL. ML classification and ClamAV detection strongly indicate maliciousness. The document body, though heavily obfuscated, appears to be a lure related to a 'food list', suggesting a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/strik?utm_term=danette+may+30+day+challenge+food+list
    • https://cdn-cms.f-static.net/uploads/4379046/normal_5fdbfd59e9ae6.pdf
    • https://cdn-cms.f-static.net/uploads/4368972/normal_6045f403d967a.pdf
    • http://wewofif.scienceontheweb.net/80650316643.pdf
    • https://mekumago.weebly.com/uploads/1/3/5/9/135981587/8859360.pdf
    • https://cdn-cms.f-static.net/uploads/4366042/normal_6022ca70b1b28.pdf
    • http://luminar4-download.xyz/98679601634097ok.pdf
    • http://circus.market/it_service_management_plan_templateuj22z.pdf
    • https://nogusuxewi.weebly.com/uploads/1/3/1/4/131438155/dazipuwiz_xolumixadev_pidedotoxut_gojowelod.pdf
    • https://static.s123-cdn-static.com/uploads/4424040/normal_60028d3313f3d.pdf
    • https://lipuxavevafip.weebly.com/uploads/1/3/1/3/131398459/zinoxat-xixujosew.pdf
    • https://wogizirimabote.weebly.com/uploads/1/3/5/3/135337148/3819967.pdf
    • https://limikasideg.weebly.com/uploads/1/3/4/4/134446439/d5c91.pdf
    • http://optalpha.com/69668427116o3q0r.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://gipebevu.atwebpages.com/how_many_calories_are_in_a_jiffy_corn_muffin.pdf
    • http://betakudo.atwebpages.com/2518535673.pdf
    • https://5fb42ee6-a9be-400a-98f2-f9d4b9f720c8.filesusr.com/ugd/1813b3_176fffd8d05f4889a6daf34123bf39e8.pdf?index=true
    • http://puribisipup.atwebpages.com/tivojol.pdf
    • https://5f8b0e40-2141-4341-98ab-6145db4b8156.filesusr.com/ugd/2072cd_45838cf66230478e8bcbbc16c541c0eb.pdf?index=true
    • https://uploads.strikinglycdn.com/files/863e6af1-9ea0-4862-a522-b7c43728d336/la_la_land_tabs.pdf
    • https://uploads.strikinglycdn.com/files/305182d7-daad-4ec0-a99e-c040d5ba0b56/sword_art_online_alicization_light_novel_read_online_free.pdf
    • https://uploads.strikinglycdn.com/files/12f21bcb-ece6-4b69-9833-eda2ecbb0d31/why_are_partnerships_important_in_education.pdf
    • https://uploads.strikinglycdn.com/files/dd80fd59-325b-4ec5-a3f9-ea8c3af9ecbf/fonegetaxewuwigat.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fd5a.bin
ba9a0ba623ed477a64d3518d53262dd0abec41147d5cc1e9f07a4dd45405e2c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD5A 5748 bytes
font_01_sfnt_off000110d4.bin
fde507d3e12ec33e68adf7e75fc7402ffd28b0db1492fb6dd1e3c49ab7b9519b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110D4 3120 bytes
font_02_sfnt_off00011d59.bin
d2582c98fbfe80b04bfdec73879f7b5f81394461896929d3e2e7b27210c73fa0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D59 10848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.