Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4da84037da4dd79…

MALICIOUS

PDF

85.9 KB Created: 2021-03-21 08:39:05 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 226e74bd977b5f56543a9d616402efba SHA-1: dec28baa9822cc1d6178d419fcf61c7f3460ed1b SHA-256: f4da84037da4dd795e64a4bcd39a7322ede279b27a7354a2e29072769410717e
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains heuristics indicating it is a phishing lure, specifically using an academic-themed title to entice clicks. The primary malicious URL, https://fokemale.ru/wix?keyword=period+2+review+packet+ap+world+history+answers, is directly linked to this phishing attempt. While no scripts were explicitly extracted, the PDF structure and associated heuristics strongly suggest an attempt to redirect users to a malicious site, likely for credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fokemale.ru/wix?keyword=period+2+review+packet+ap+world+history+answers PDF link annotation
    • https://static.s123-cdn-static.com/uploads/4426953/normal_5fcb36c535b10.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448976/normal_5fd1596ed4b1c.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403948/normal_604eb27c0be66.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/niporofez/swot_infographic_template_ppt.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1ea22b2-47ca-4ddd-b87e-1205ea5fdb7c/zebuxewemegepuwawuji.pdfIn PDF document text
    • https://s3.amazonaws.com/napejaxosinages/40834288859.pdfIn PDF document text
    • http://kanusilos.epizy.com/bacharach_leak_detector_informant_2.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cfc9368d-4ef8-4dfc-8987-8dc273cce34e/zejisiwogarakus.pdfIn PDF document text
    • https://s3.amazonaws.com/xisakazelelinim/the_last_dance_encountering_death_and_dying_10th_edition.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/af7b4f22-2e30-431a-9b00-aa22698ec84d/texto_argumentativo_estructura_del_ensayo.pdfIn PDF document text
    • https://s3.amazonaws.com/meludav/manual_denon_avr_1910_portugues.pdfIn PDF document text
    • http://potimafekun.epizy.com/wordpress_admin_pass_reset.pdfIn PDF document text
    • https://s3.amazonaws.com/xalexojaxipud/lunch_invitation_template.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a2d61e91-ab4d-4851-8128-4325f35786c6/wajumajo.pdfIn PDF document text
    • http://bavolonetokibip.rf.gd/simple_spanish_words.pdfIn PDF document text
    • https://s3.amazonaws.com/jupudizadid/sister_birthday_song_in_tamil.pdfIn PDF document text
    • https://s3.amazonaws.com/bitajemisajoz/calculus_3_problems_and_solutions.pdfIn PDF document text
    • http://xupasafagimi.rf.gd/artist_profile_examples.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6f5ad32b-e075-4869-904f-0eabca2e98ce/51696148216.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/660ecc07-de5b-4092-8ef7-d7b9e1187255/navy_civilian_jobs_2020_online_registration.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef63.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF63 5612 bytes
SHA-256: a43f9e790680d2eefdb94b5fcd83c26953c305c2480372a3fc9a7a07a95fd820
font_01_sfnt_off00010287.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10287 1716 bytes
SHA-256: 7314a8110a688275e79cb4cd5cd058a9f858becaa7f01fde0a687197ddc85302
font_02_sfnt_off00010b12.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10B12 11332 bytes
SHA-256: 34b354b1a7c338b18027b55c10d43db7ccd6707240a4cf53dd59feb8fe033240
font_03_sfnt_off000131f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x131F2 16116 bytes
SHA-256: acdc7345fd7c724e0f83f99756c334a81566d7f1ced1780f830934d9e28cbf4f