Malicious PDF — malware analysis report

Static analysis result for SHA-256 f6eccc02d68321a9…

MALICIOUS

PDF

79.7 KB Created: 2021-03-24 05:04:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: e84a4989609fd74c664e0a37f071edd6 SHA-1: 859677e482f91126982e7804924d2c433d3284bb SHA-256: f6eccc02d68321a9c6563172edfa80a07ff56db494ce8472b0a00eb6c03f97cf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple embedded URLs, with the primary one being 'https://ponafet.ru/award?keyword=botany+of+desire+pdf', presented as a lure for a book download. ClamAV detection and ML classification strongly indicate malicious intent, likely to deliver a phishing or trojan payload. Although no scripts were directly extracted, the presence of numerous suspicious URLs suggests the document is designed to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ponafet.ru/award?keyword=botany+of+desire+pdf PDF link annotation
    • http://roserubusigiwij.mywebcommunity.org/star_wars_aftermath_download.pdfIn PDF document text
    • http://tadugebakonuged.getenjoyment.net/terminal_world_alastair_reynolds.pdfIn PDF document text
    • http://haifaiv.ru/vaxitameveboxupukisifspac0.pdfIn PDF document text
    • https://dotaterezisal.weebly.com/uploads/1/3/4/7/134771172/puziremaduzuwu_vometo_norarimikebo_fedegaluzeg.pdfIn PDF document text
    • http://naturaleone.space/3d_origami_chinese_dragon_instructionsgc75m.pdfIn PDF document text
    • https://nurosamemozixa.weebly.com/uploads/1/3/4/3/134375837/gogexu.pdfIn PDF document text
    • http://lijonotogi.scienceontheweb.net/41638582865.pdfIn PDF document text
    • https://wudujadulaneg.weebly.com/uploads/1/3/0/7/130738887/kowutexifexeb.pdfIn PDF document text
    • http://zusagukitu.mywebcommunity.org/jaeger_lecoultre_atmos_clock_repair_manual.pdfIn PDF document text
    • http://raisinshub.club/73360202963sjirz.pdfIn PDF document text
    • http://sravniproxy.info/wapekasusugusopegoqxues.pdfIn PDF document text
    • http://antonio-ita.space/best_buy_san_antonio_the_rimg1zdy.pdfIn PDF document text
    • https://cdn.sqhk.co/lazujanaziri/gijijhe/61077693969.pdfIn PDF document text
    • https://cdn.sqhk.co/manuguwe/a9ifTie/banokanumaselax.pdfIn PDF document text
    • https://cdn.sqhk.co/nafusomo/gcF4fxA/53330708395.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://e97408dc-4b05-4e3b-9f19-f4127feb49ef.filesusr.com/ugd/a42eed_29a35f1bb3ac4192aa00d103c057cb9b.pdf?index=trueIn PDF document text
    • https://s3.amazonaws.com/rakabexozu/happy_birthday_papa_ji_song_pagalworld.pdfIn PDF document text
    • https://s3.amazonaws.com/lorerexeg/water_bottle_rocket_fin_template.pdfIn PDF document text
    • https://s3.amazonaws.com/kabisebax/high_school_physical_education_classroom_management_plan.pdfIn PDF document text
    • https://s3.amazonaws.com/puretulenuza/tidid.pdfIn PDF document text
    • https://s3.amazonaws.com/suzixegazunow/wemuxixenisu.pdfIn PDF document text
    • http://zirutabu.myartsonline.com/what_year_was_my_marlin_rifle_made.pdfIn PDF document text
    • https://320f262d-053d-461a-9009-498fa3b044f5.filesusr.com/ugd/8e680a_28ace44e1cba48fe80d7ee9654c6652d.pdf?index=trueIn PDF document text
    • https://ff4d9611-e7ea-45f2-85d3-f0b464ef817f.filesusr.com/ugd/48f461_8792d396b573491b9156d3526c86f134.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa08.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA08 5152 bytes
SHA-256: 95f898ca7fc529c0221d1754403b43233ea06a4be7f0e695a60061efadda0984
font_01_sfnt_off00010bb1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10BB1 10980 bytes
SHA-256: ab172113e1b5981b0a5ee67f482726a3b7f75fa170424d4c5eeea8537860abef

Open this report in the interactive analyzer, or submit your own file for analysis.