Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4ffa0f9e0317d4f…

MALICIOUS

PDF

64.4 KB Created: 2021-01-18 04:27:39 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7387b80c828b0379df6182215278a1f3 SHA-1: 7529aaec57c692851991f88e08b802634f4c67bf SHA-256: d4ffa0f9e0317d4f12c320a6d4b296db4db42f3a75ee7f27d3816d169d36d934
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL points to a resource that is likely part of a phishing or malware distribution scheme, disguised as a study guide. While no scripts were explicitly extracted, the PDF structure and heuristic firings suggest it may contain embedded JavaScript or exploit code to facilitate the download of a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/123?utm_term=mcsa+windows+server+2016+complete+study+guide+free+download
    • https://cdn-cms.f-static.net/uploads/4417997/normal_5fd6836b43c2a.pdf
    • http://viputixezererej.66ghz.com/fisovonopamu.pdf
    • http://rotixumuzu.22web.org/pupalokugibozozazagatati.pdf
    • https://site-1175027.mozfiles.com/files/1175027/modern_warfare_3_remastered_ps4.pdf
    • https://cdn.sqhk.co/zivuzigup/mghjegj/81727907948.pdf
    • https://static.s123-cdn-static.com/uploads/4450003/normal_5ff37790d05f0.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://rawozenagi.epizy.com/xelemisaxuveb.pdf
    • https://s3.amazonaws.com/dufekifaral/21_grams_movie_480p.pdf
    • https://s3.amazonaws.com/nowonovege/hydroblasting_training_guide.pdf
    • https://s3.amazonaws.com/jotizifime/low_back_pain_treatment_guidelines.pdf
    • https://s3.amazonaws.com/peveziwoguxuzam/jofisisatevig.pdf
    • https://s3.amazonaws.com/gotitibekovi/guvuparemodi.pdf
    • https://s3.amazonaws.com/midaguvimabof/mibesivera.pdf
    • https://s3.amazonaws.com/runuzitexokol/24175843756.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bc7c.bin
ce9dd9ad7a09e47192d2644d137f34a02c88a2381dbde7280d321b02bfc9fadf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC7C 6212 bytes
font_01_sfnt_off0000d1bd.bin
dda92699ed0918d393ee2fa796d5ef7bcf71b3dede48cb77b085dd53ae08a99f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD1BD 10108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.