Malicious PDF — malware analysis report

Static analysis result for SHA-256 df71733ea549c949…

MALICIOUS

PDF

82.0 KB Created: 2021-03-14 02:11:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2631ae47f4a46db0446b519b0a32a813 SHA-1: 51c28b5a62c1f7982a0698ce5d77188501916db2 SHA-256: df71733ea549c949ecf8ffabb9e5d7af07274825f6d77a12561a5516bf7519c7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as a malicious PDF by ML classifiers and ClamAV. It contains an embedded URI pointing to 'https://maypoin.ru/wix?keyword=switched+cassie+mae+pdf', which is a strong indicator of a phishing or malware distribution attempt. The document body is heavily obfuscated, preventing a clear understanding of its specific lure, but the presence of the external URI is the primary driver for the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=switched+cassie+mae+pdf
    • https://cdn.sqhk.co/wemavutulow/gAQnhad/word_craze_daily_puzzle_answers_today.pdf
    • http://reactivascotia2020.com/sedaziwukelezefakey29.pdf
    • https://static.s123-cdn-static.com/uploads/4369784/normal_5fca80719033d.pdf
    • https://cdn.sqhk.co/furugilenu/ibf7jf5/zubigukigutisuku.pdf
    • https://xaxibilezulaf.weebly.com/uploads/1/3/4/0/134096047/dunabapiguxebijas.pdf
    • https://jomufoxubibad.weebly.com/uploads/1/3/1/1/131164047/xakirufigufixi_bosezenetifam.pdf
    • https://cdn.sqhk.co/kofisosiz/V6hajcQ/87378369480.pdf
    • https://cdn.sqhk.co/raxinosi/jfhbEft/munajifemazofir.pdf
    • http://tk-pobeda.site/adobe_indesign_keyboard_shortcuts_cheat_sheet3ij9b.pdf
    • https://keregejuvuja.weebly.com/uploads/1/3/4/3/134345288/sawilefu.pdf
    • https://dururamud.weebly.com/uploads/1/3/4/8/134846475/cc928.pdf
    • https://static.s123-cdn-static.com/uploads/4446401/normal_5fe178cc07300.pdf
    • http://betmoy56.com/kerefozinecn0xy.pdf
    • https://cdn-cms.f-static.net/uploads/4408993/normal_6037dbd39b08b.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://9eaa565e-fb97-40b4-b096-d6760803f699.filesusr.com/ugd/55e2c6_6871ed2dbf4a45c081b1fcac55e67878.pdf?index=true
    • https://s3.amazonaws.com/wexoteluwag/togasipovegurivara.pdf
    • https://s3.amazonaws.com/retisovojor/auction_ticket_sheets.pdf
    • https://s3.amazonaws.com/juzinaramip/english_grammar_worksheets_for_grade_4_adverbs.pdf
    • https://s3.amazonaws.com/kudefem/behmor_1600ab_plus_manual.pdf
    • https://f72b89be-0fa6-41ee-8162-331329ef78ce.filesusr.com/ugd/95089d_fe5477ca2003498d8bcb377ba3a0d882.pdf?index=true
    • https://5c839259-519f-4cee-a1a2-6639d654070b.filesusr.com/ugd/140efa_0c0a850b8c3547d98e07e65e3e47eec8.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010248.bin
38b3a64cd92eb3157efea84e98c2c12ec644a36d0228b43ea3d14491e213de76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10248 5460 bytes
font_01_sfnt_off000114cd.bin
0abd700d7962642ec7bfa29d21eb3863038d8e8a85f4f6fa64340119de3cd846		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114CD 11508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.