Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbfa2438d0f63e7b…

MALICIOUS

PDF

79.1 KB Created: 2021-03-23 07:46:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a498234f2bdc77be14b980fe816e2ba9 SHA-1: 241a4fd801f87f766969e2ffdbbc67c4431af3b1 SHA-256: dbfa2438d0f63e7b8fdc171e40196b8df9226bba98109fe274d91919d5479572
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. It contains an external URI pointing to 'https://zajinet.ru/strik?utm_term=kung+fu+panda+3+trailer+ingles', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, contains metadata suggesting it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajinet.ru/strik?utm_term=kung+fu+panda+3+trailer+ingles
    • http://zuregazezoral.mygamesonline.org/iaf_airman_group_y_previous_papers.pdf
    • https://cdn-cms.f-static.net/uploads/4490121/normal_603b00d0217fb.pdf
    • https://static.s123-cdn-static.com/uploads/4380403/normal_5fffd963023a4.pdf
    • http://xiwupulo.medianewsonline.com/kjv_bible_verses_about_loved_ones_in_heaven.pdf
    • https://static.s123-cdn-static.com/uploads/4374853/normal_5fcb2883353fa.pdf
    • https://static.s123-cdn-static.com/uploads/4407777/normal_5fdcd0b979ad6.pdf
    • https://cdn-cms.f-static.net/uploads/4406454/normal_6043f8fe81aa7.pdf
    • http://bapadama.medianewsonline.com/3d_animation_definition.pdf
    • https://static.s123-cdn-static.com/uploads/4424933/normal_60099a182408c.pdf
    • https://cdn-cms.f-static.net/uploads/4470961/normal_5fd72ce84381b.pdf
    • https://cdn-cms.f-static.net/uploads/4417321/normal_603b13278fdb0.pdf
    • https://cdn.sqhk.co/gaxobenona/fgfgfhd/grand_crime_gangster_hack_apk_download.pdf
    • https://cdn.sqhk.co/rejiwosujupa/QhjggtU/naija_highlife_music_download.pdf
    • https://cdn-cms.f-static.net/uploads/4454301/normal_600de67fb37aa.pdf
    • http://ginalupajeriw.scienceontheweb.net/xozurofog.pdf
    • https://cdn.sqhk.co/lafugafeniki/cgiAgjd/kivizaralen.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://e905a76e-7bc1-418c-be29-e8eda1603e86.filesusr.com/ugd/3fb32a_e537f4286c064ea4b29171ef3d44c3c0.pdf?index=true
    • https://s3.amazonaws.com/liwara/wifixobuse.pdf
    • https://2d2b1dae-c014-4902-97e6-c3f1d56915cd.filesusr.com/ugd/70e5f7_4334bd5b9170458fbe43ad571086d3bd.pdf?index=true
    • http://zutaturusix.myartsonline.com/vedefiro.pdf
    • https://677f84e8-2a3b-482a-8721-58d714100356.filesusr.com/ugd/086aec_d38b8ce2988446cb9dd6266ba47d4cff.pdf?index=true
    • https://s3.amazonaws.com/likadojivivofu/weather_report_now_in_chennai.pdf
    • https://s3.amazonaws.com/sazariwapa/fopogeriwirivunuguti.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f4b6.bin
6ccc4cd016eec7f768935c52939b935227322af0fc2abe68f9e038d05aefe81e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4B6 5340 bytes
font_01_sfnt_off00010703.bin
cb2d8239b9e20f9b3d631582c2cf94b7e08c266871cafe4d07fed5e0a2590e5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10703 11072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.