Malicious PDF — malware analysis report

Static analysis result for SHA-256 f04749ef032312e7…

MALICIOUS

PDF

84.3 KB Created: 2021-03-15 19:42:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1f838ca265524287d06ce2f260b4ea2d SHA-1: 7f84354404f846752b6daf2d0aca33a501f04237 SHA-256: f04749ef032312e7d56ada1a54075edde395d60dd17a3d34698864938470b1e3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that mimics a search engine result, likely intended to trick the user into visiting a malicious site. ClamAV and ML classifiers strongly indicate malicious content, and the embedded URL is a primary indicator of a phishing or credential harvesting attempt. No scripts were extracted, but the PDF structure and embedded URI are sufficient to infer a phishing attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/aws?utm_term=does+brushing+your+teeth+with+peroxide+make+them+whiter
    • https://cdn-cms.f-static.net/uploads/4426944/normal_6022d1c3bd511.pdf
    • https://cdn.sqhk.co/kadunila/1jagBje/samsara_room_bookshelf.pdf
    • https://cdn-cms.f-static.net/uploads/4489411/normal_60160b19d191f.pdf
    • https://cdn-cms.f-static.net/uploads/4414868/normal_602de297b93b9.pdf
    • https://cdn-cms.f-static.net/uploads/4387566/normal_602473bc14252.pdf
    • https://static.s123-cdn-static.com/uploads/4464068/normal_5feb022aee1d9.pdf
    • https://cdn.sqhk.co/nojumuku/YMqMgiF/specialty_wood_stores_near_me.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/7b83c41c-56af-4896-af86-5df61f967404/zoom_h4n_sd_card_speed.pdf
    • https://uploads.strikinglycdn.com/files/bc9ee872-7cc4-4f23-bc96-a1e48717601e/ninja_blender_black_friday_bjs.pdf
    • https://uploads.strikinglycdn.com/files/f4d48369-a1f9-4312-a401-3ac7fc22e034/tarifanokipibiwu.pdf
    • https://uploads.strikinglycdn.com/files/46141ec0-5f24-4ad2-bde9-4e6bfa2b9faf/xukebekamofas.pdf
    • https://uploads.strikinglycdn.com/files/816d99cf-8adc-4a2d-8708-ac6735f71337/12637287154.pdf
    • https://uploads.strikinglycdn.com/files/a415b84f-e6be-429d-86c3-39a4c4c85b79/71823037899.pdf
    • https://uploads.strikinglycdn.com/files/5355cada-1ac5-4c03-af73-fe777fd1e756/harry_potter_movies_online_netflix.pdf
    • https://uploads.strikinglycdn.com/files/987f72a8-2e40-40a3-82e7-c0d6b3ab8f63/49430207365.pdf
    • https://uploads.strikinglycdn.com/files/46eef4d8-c5ae-44d3-9e7e-41c419c7a190/asu_wifi_android_domain.pdf
    • https://uploads.strikinglycdn.com/files/6e7fe71d-8125-4656-a295-f08a3d5c3a0c/gupizafevesaxunuvemodo.pdf
    • https://uploads.strikinglycdn.com/files/cc26c763-f3f0-45ae-b50a-e00b9c208a4d/bojefirevewijunazuvo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f340.bin
82bf743474b1f84f1edfde3d93a90ab9b9a930b617deee2714410158fec417ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF340 5804 bytes
font_01_sfnt_off000106f3.bin
686f28ff5f961c85b9bfd809784dcd795cd26bb303a7fe69a0503f7487b78456		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106F3 10880 bytes
font_02_sfnt_off00012c4c.bin
0845746d8e0f76c2c57e53a5d0c2d2ba36ed31c4724e2802406f297ba1795667		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C4C 16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.