Malicious PDF — malware analysis report

Static analysis result for SHA-256 d52653fff3d393f1…

MALICIOUS

PDF

211.7 KB Created: 2021-03-20 17:47:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 54883ee29a28a1d4e6f3e6848b686a56 SHA-1: 1eca81c4d54d74417d48fcb35aaf9c766178b101 SHA-256: d52653fff3d393f10b8c646855b0fbf3b85c75d05cbdeed21c5302f8cdb19681
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL, 'https://ponafet.ru/123?utm_term=cyanobacteria+nitrogen+fixation+pdf', is likely used to deliver a secondary payload or redirect the user to a phishing site. Although no scripts were explicitly extracted, the PDF structure and the presence of external URIs suggest it's designed to exploit vulnerabilities or trick users into visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9808

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/123?utm_term=cyanobacteria+nitrogen+fixation+pdf
    • https://cdn-cms.f-static.net/uploads/4393889/normal_6039a90068687.pdf
    • https://rufevefiwavanu.weebly.com/uploads/1/3/5/9/135992343/1930819.pdf
    • https://cdn-cms.f-static.net/uploads/4406481/normal_6009ef059fe89.pdf
    • https://cdn-cms.f-static.net/uploads/4410953/normal_604d978034154.pdf
    • http://tozidak.mygamesonline.org/antonin_artaud_selected_writings.pdf
    • https://xamubamujizej.weebly.com/uploads/1/3/1/4/131483378/1051006.pdf
    • https://static.s123-cdn-static.com/uploads/4385213/normal_5fdd8ea010a11.pdf
    • https://guzepebizosi.weebly.com/uploads/1/3/4/8/134880367/6810338.pdf
    • http://kalowodopole.mygamesonline.org/baldurs_gate_3_future_races_and_classes.pdf
    • https://xinozujo.weebly.com/uploads/1/3/0/8/130874257/vejetixil-jujakeno.pdf
    • https://silajawa.weebly.com/uploads/1/3/4/3/134339193/4550939.pdf
    • https://cdn-cms.f-static.net/uploads/4417029/normal_602c35fe7df76.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/kumasala/85258896661.pdf
    • https://s3.amazonaws.com/debiwelof/candle_light_song_video.pdf
    • https://s3.amazonaws.com/satulibaren/dagiwimolerixonevun.pdf
    • https://s3.amazonaws.com/xapijifas/58988792366.pdf
    • https://s3.amazonaws.com/donukadizolin/fabesizonujaviwobad.pdf
    • https://s3.amazonaws.com/poresi/how_do_you_train_your_mind_to_be_stronger_than_your_emotions.pdf
    • https://s3.amazonaws.com/xutomoxu/bhai_bhai_full_movie.pdf
    • https://s3.amazonaws.com/farezelof/87522849758.pdf
    • https://s3.amazonaws.com/bulalowisu/chrome_app_for_computer.pdf
    • https://s3.amazonaws.com/jemisajoda/stoke_park_membership_application_form.pdf
    • https://s3.amazonaws.com/gazitif/nujilosejiderexodakolemit.pdf
    • https://s3.amazonaws.com/solonebosop/android_developer_resume_4_years_experience.pdf
    • https://s3.amazonaws.com/jivala/dryer_sheet_hair_hack.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002ef1e.bin
1fb40ee4294bc88676a45221801be8eaf2ae17aaceca9aaf630656c73201072c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EF1E 5328 bytes
font_01_sfnt_off00030157.bin
b834bc624255e14e5319524a8811dc031bc0303f2e6ecca40ebe26c9a01b621a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30157 12596 bytes
font_02_sfnt_off00032b40.bin
c43c81af3addadc619f1b50b0eb79006c69e58cb90abf43f7a5fbd940e22698c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32B40 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.