Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2010cdf50bd6d2d…

MALICIOUS

PDF

68.7 KB Created: 2021-09-29 00:46:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 52d93248284989b20009acff35a89d04 SHA-1: 9d61c0bc548b978d6107cdcaf489100ca31a3115 SHA-256: f2010cdf50bd6d2d701843f521126a2a97304af6a2539a3d73cd9c25cb4eca3e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The PDF utilizes parser-evasion techniques and includes an external URI pointing to a raw IP address, indicating a malicious intent to deliver further payloads. The ML classifier and ClamAV detection strongly support this assessment. No scripts were extracted, so the exact execution mechanism remains unclear, but the structure suggests a downloader or phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blankheich.de/images/uploads/file/lawutojelavif.pdf
    • http://pbpharm.com/upload/files/kavefefelowurupud.pdf
    • https://people11people.gr/uploads/File/gulujigafapufifaboniravi.pdf
    • https://bdprescription.com/ci/userfiles/files/5596323994.pdf
    • http://140.121.161.111/ckfinder/userfiles/files/99853260275.pdf
    • http://watdoenwevandaag.nl/upload/91187025136.pdf
    • https://propertiproperty.com/Uploads/userfiles/files/jusamigitobaxepigerasefu.pdf
    • https://www.espymetcalf.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613e62f53477d---91100600692.pdf
    • https://shibbirs.com/media/files/papulikinonenisakix.pdf
    • http://ancheng-medical.com/uploadfile/files/nalewaligotafesomorog.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16141082d81913---52986133778.pdf
    • http://grani-tonkogo-mira.ru/wp-content/plugins/super-forms/uploads/php/files/b3b79ec5978d080912291e8bd5ef17af/49722581929.pdf
    • http://chickenwild.com/upload/contents/images/images/92093305713.pdf
    • http://vonschickenconcord.com/uploads/files/sujinizonuj.pdf
    • http://studioingtassinari.eu/userfiles/files/65685310159.pdf
    • http://teamwork-poetschke.com/ckfinder/userfiles/files/24467472547.pdf
    • http://kcpsystem.com/userData/board/file/kixajidarovux.pdf
    • https://tideandtigers.com/ckfinder/userfiles/files/72438094657.pdf
    • http://gryfarmerskie.pl/pliki_wyswig/files/logirefadolovezirov.pdf
    • http://hidrometa.com/images_upload/files/tazedowufij.pdf
    • http://nbc.ua/design/pic/file/rawepenidafam.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=messenger+new+themes
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000af79.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF79 16792 bytes
font_01_sfnt_off0000c790.bin
4003bc9fb5aefe35670ca408f380b6be574108ca610dc07f062f5a895b6ac9fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC790 10216 bytes
font_02_sfnt_off0000de4e.bin
63f991c296f1220b0c6178918dec06ab5ad893585fbea03cdbb91a484796e640		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE4E 15736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.