Malicious PDF — malware analysis report

Static analysis result for SHA-256 f699db0d05653337…

MALICIOUS

PDF

68.4 KB Created: 2020-12-21 19:57:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 616916143a85c81764834d53d9fd812c SHA-1: 78ec47b1e1897c5c44b700db513dc1e1b14c62b7 SHA-256: f699db0d05653337e01f7858facf034b2742cae1ec9b574d51c19f8ed57ef7d1
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains embedded URLs and is flagged by ML classifiers and ClamAV as malicious. The document body, though heavily obfuscated, appears to be a lure related to a 3D printer review, combined with advance-fee scam language. The primary malicious indicator is the external URI pointing to a suspicious domain, likely used to redirect the user to a phishing or scam page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffe.ru/strik?utm_term=formbot+t-+rex+2+3d+printer+review
    • https://cdn-cms.f-static.net/uploads/4489411/normal_5fb810a4b6c41.pdf
    • https://cdn-cms.f-static.net/uploads/4477376/normal_5fd1fec8a93ec.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/bd9c3855-b229-4b19-8b5c-7a1fb8001d6c/ram_elements_program_manual.pdf
    • https://uploads.strikinglycdn.com/files/f9dc273a-7e7c-41a1-98a6-619e93fb2554/timex_t601g_nature_sounds_clock_radio_manual.pdf
    • https://static1.squarespace.com/static/5fc695a917e720264011615a/t/5fcd611cf94b6402b22c5bb2/1607295262223/sushi_neko_okc_hours.pdf
    • https://uploads.strikinglycdn.com/files/652286f7-dc00-4c90-9a31-d93700831b40/cablevision_remote_manual.pdf
    • https://static1.squarespace.com/static/5fc781bf5c272238a81a8919/t/5fccd2627ae85b53b2905e86/1607258724635/hidden_agenda_definition_in_communication.pdf
    • https://uploads.strikinglycdn.com/files/7a6c7e00-dbde-46cd-b009-6816340744a3/bootable_windows_xp_sp3_iso.pdf
    • https://static1.squarespace.com/static/5fdc9f1e8b13fe0be8181d02/t/5fdd2bc0ef735726d23d348e/1608330181158/automatically_unfair_dismissal_labour_guide.pdf
    • https://static1.squarespace.com/static/5fbce344be7cfc36344e8aaf/t/5fbf5eb64e98326c02082010/1606377143206/everstar_air_conditioner_model_mpm-08cr-bb4.pdf
    • https://uploads.strikinglycdn.com/files/306f26ec-531b-4350-b64d-26029d9c3bc6/nivixexugovelo.pdf
    • https://uploads.strikinglycdn.com/files/37482b31-3626-4a72-ade0-e23e74d354ae/tabletop_propane_fire_pit_cover.pdf
    • https://uploads.strikinglycdn.com/files/3c09abf6-6e78-4405-926d-a60e35ea683b/aisc_design_guide_3.pdf
    • https://static1.squarespace.com/static/5fdebfeb2dcd53187f206807/t/5fdeda787185ee572d52cff4/1608440440936/autosketch_apk_full_version.pdf
    • https://uploads.strikinglycdn.com/files/bb2c806d-a7e4-4019-8153-83ae7ec9ec34/cuntos_gramos_son_en_un_octavo_de_w.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d1fd.bin
b69c8bfde388ded94ceff1a05bb19522da2c59032cbfa0c750c93ceace58e604		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD1FD 5328 bytes
font_01_sfnt_off0000e422.bin
027caf788875a345b831154bf5f2c76827734df9f26eda7de307be9a6f38c6a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE422 9540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.