Malicious PDF — malware analysis report

Static analysis result for SHA-256 d41e778226de6095…

MALICIOUS

PDF

80.0 KB Created: 2021-03-25 12:02:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d6ec1172ec6c42f845e533fb48a8c766 SHA-1: 26bed9065ee7e29bb034431b91c9d00f7a76feb4 SHA-256: d41e778226de609571b6c0fb903e8fe2b515ecfdb8113a6775b6a1e079ec14ff
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL pointing to a suspicious domain. The ML classifier and ClamAV detection strongly indicate maliciousness. The embedded URL likely serves as a lure to a phishing or malware distribution site, and the document body, though heavily obfuscated, suggests a theme related to online gaming to entice clicks.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/aws?utm_term=how+to+play+modern+magic+the+gathering+online
    • https://cdn-cms.f-static.net/uploads/4496602/normal_602c0ce1adf3f.pdf
    • https://cdn-cms.f-static.net/uploads/4460950/normal_6036def42ff6f.pdf
    • https://cdn-cms.f-static.net/uploads/4406168/normal_6018d2a7dadbf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8dec09e4-9f15-4593-b504-369be42fc704/how_to_lose_weight_by_cutting_calories.pdf
    • http://sabuxixu.epizy.com/22411029138.pdf
    • http://magapupegijovot.epizy.com/schwinn_stationary_bike_seat_cover.pdf
    • https://uploads.strikinglycdn.com/files/a4ae6527-0077-4f89-b521-1e1ae57b5651/nutone_intercom_doorbell_cover.pdf
    • https://uploads.strikinglycdn.com/files/6023f2ed-46ab-470c-8893-e1f6a186c312/36505653238.pdf
    • https://uploads.strikinglycdn.com/files/3425a33a-32f7-4660-99fa-d7a063f51b2c/what_defines_a_full_time_employee.pdf
    • https://uploads.strikinglycdn.com/files/f21199d8-960b-4d12-af3d-ba163fc7120b/gosirewokawi.pdf
    • https://uploads.strikinglycdn.com/files/ab08b7df-82ea-4c04-9109-cf0dd1c1d2f6/how_to_unlock_tx1500e_thermostat.pdf
    • https://uploads.strikinglycdn.com/files/44104697-ab8b-4761-8a58-019d71d5815d/vonijodinogasajolelo.pdf
    • https://uploads.strikinglycdn.com/files/d7f313af-ccd2-4223-9d8f-3bdb1116c532/wefakatabonijovimezesowab.pdf
    • https://uploads.strikinglycdn.com/files/934908ae-6e83-481d-99aa-447b520b49ea/pokemon_fire_red_release_date.pdf
    • http://nazifaba.rf.gd/66282863147.pdf
    • https://uploads.strikinglycdn.com/files/1498ef7f-80ab-42be-855f-0e0ee4492386/26477535996.pdf
    • http://gitipezusev.rf.gd/94169645540.pdf
    • http://zerujafulo.rf.gd/28615862721.pdf
    • https://uploads.strikinglycdn.com/files/a6b66175-6ab2-4b6e-9234-d30350082136/22299268697.pdf
    • https://uploads.strikinglycdn.com/files/958b7d56-3de7-4256-aa3d-1210c963428c/how_to_deal_autism.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa9c.bin
1646634da9e03cf9f48e3d4ff04c519c77dc2484eff916cad3b58bd537532039		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA9C 5464 bytes
font_01_sfnt_off00010d1d.bin
247cc2fb6bedd4cc64567b6618fbf375fcb0beb5f4a05b453496c06b2d481e95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D1D 10960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.