PDF malware analysis — malicious · d9ad2b578c1fbd86

MALICIOUS

PDF

73.3 KB Created: 2021-05-28 05:41:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-14

MD5: 313e887492778cc84ce6053bcf8bebf0 SHA-1: 14879bf7c7142c120728ee83c84f45e7b02d72f5 SHA-256: d9ad2b578c1fbd86a9afdbc4200d9d77e2a4ef139d5663025f6959d196f09643

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV and an ML classifier, with a high risk score. It contains an embedded URL pointing to 'ponafet.ru', which is flagged as suspicious. The document body, though heavily obfuscated, suggests a 'quiz' lure, aligning with phishing or malware delivery tactics. No scripts were extracted, but the presence of an external URI is a strong indicator of malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ponafet.ru/strik?utm_term=possessive+pronouns+quiz+pdf PDF link annotation
- https://cdn-cms.f-static.net/uploads/4384640/normal_60595e062687f.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4389571/normal_606df6d72681b.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4376379/normal_6013eee769bc1.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4379848/normal_5fe5a73f18321.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4384821/normal_604b3ca7a7cb6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365582/normal_5fda995e5ee4c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4417653/normal_6027a22ca2871.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4419832/normal_603feb1338150.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4489713/normal_6032d02046c75.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4501486/normal_603f49832fbf0.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4413236/normal_601ab74b83d22.pdfIn PDF document text
- https://static.s123-cdn-static.com/uploads/4419211/normal_5fddbd84c6754.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4457298/normal_6029656ba3983.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/34ff8251-f5dd-4fbf-9754-7b9fb3eb677a/how_to_promote_a_life_coaching_business.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9cd7eacd-e055-4351-9ca8-91208deb5620/pathfinder_adventures_by_level.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/9ee1a164-e2b3-434f-87b7-9050c6b44bac/authors_purpose_worksheets_6th_grade.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/644420bc-b1ce-4e47-88f5-0acd52bae274/states_of_matter_quiz_grade_3.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/92cd719b-d2d0-4dde-a298-c3c6ecbf80ff/mukiwezik.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/1dece9fc-97ff-4d7e-b94d-49676ac90448/21013393239.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5f280fe4-6d6a-464e-894a-a9e7dfe7f1db/nogimazel.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/0538363f-0bf9-4290-a9bd-a9351806b3f1/tebavasakuxesokikemetixil.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/634fbc99-dbea-4bec-bcb4-ec60999e3f1b/59822399681.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/48ab8f40-95bb-4c11-be03-6cd17dd15d0c/4492311901.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/e2c62c25-0d71-434d-bc85-d1b5a8cd4e03/what_are_bad_character_traits.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000e087.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE087	5032 bytes
SHA-256: `061d06806e5ce0c7fa9c7cc5a0dc7aacf2042b07f1cec679e0e2a8c434b48e03`
`font_01_sfnt_off0000f1c8.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF1C8	11188 bytes
SHA-256: `21cdee6509ea16e20f91850c840d9de080410cfe5a4010b178acf3a7bb5a9e55`

Open this report in the interactive analyzer, or submit your own file for analysis.