Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9f5e613b27bc817…

MALICIOUS

PDF

82.0 KB Created: 2020-11-24 04:26:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 3ebb3b384534b7a1b2be6275840a4434 SHA-1: d5284968451c1f57b09078277ecb2b0735acc22b SHA-256: d9f5e613b27bc8176dd054da497922e542c5fd2f938ea9294788e4374521198f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that directs users to a suspicious domain, likely for credential harvesting or malware distribution. The document body, though heavily obfuscated, suggests an attempt to appear as educational content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafficel.ru/strik?utm_term=caligrafia+para+primer+grado PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4480889/normal_5fa99400d84d6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388827/normal_5f90afea7b293.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4371787/normal_5f905b76547df.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501503/normal_5faff313dcbb6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367005/normal_5f87c59e5aade.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379839/normal_5f9ab2738e22d.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b7cda1e5-f01d-400c-b29e-d35b4fac6166/87615219568.pdfIn PDF document text
    • https://s3.amazonaws.com/kovilowab/98710900709.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cb8122f1-67a2-4a41-a5fd-9a1c6b6057c4/45011899276.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8cfa9bbe-8082-4d7d-9a0d-ba24b764878c/71222715330.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50db36a5-b153-49f7-847d-edc818f0a96a/siwupefavunokife.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/eec37df4-dccf-4d8e-aee5-a104d10a8177/54640905033.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e087.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE087 5088 bytes
SHA-256: fb4ff32f6a810ca2de7c192653b14fdc1106119364c3bb814c49e8f0efb1e81c
font_01_sfnt_off0000f1b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF1B8 3700 bytes
SHA-256: de6982624ed4cc81de25263754cc438cf695239710b29b22cab81c08f44b67ee
font_02_sfnt_off00010048.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10048 10484 bytes
SHA-256: 84e0a0e173cba4f62d8ac4f12dc3cefff55c4200901d2da71eef9b8f18ad66c5
font_03_sfnt_off00012299.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12299 16432 bytes
SHA-256: 96562a8b71fe38800b6b02149507d884bdb87c95975b66e75df9ca86a8d11cc6