Malicious PDF — malware analysis report

Static analysis result for SHA-256 f85d3c70f4a828ea…

MALICIOUS

PDF

68.5 KB Created: 2021-03-22 01:54:41 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5e5a5476e5a38e5dff679b6e1bbc18a0 SHA-1: 28fe9606fb3661fa930bb8a665f8f2749d9f6606 SHA-256: f85d3c70f4a828ead897932d3be9fd853cc492090b00780ba152111401aab7da
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by ClamAV as 'Pdf.Phishing.Trojan' and a machine learning classifier returned a high probability of maliciousness. The document body contains text related to 'Eastern Dakota Conference Basketball' and an embedded URI points to 'https://maypoin.ru/wix?keyword=eastern+dakota+conference+basketball', suggesting a phishing or social engineering lure. No scripts were extracted, but the presence of embedded URIs and the overall detection profile indicate a malicious document likely intended to redirect users to a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/wix?keyword=eastern+dakota+conference+basketball
    • http://thelandofbadideas.com/27128305300o1dpk.pdf
    • http://fenellalucynelle.info/vutelokubesefsjokh.pdf
    • https://static.s123-cdn-static.com/uploads/4390996/normal_5fe55f5b17da9.pdf
    • https://kapokifi.weebly.com/uploads/1/3/4/5/134510442/cd83f.pdf
    • https://cdn-cms.f-static.net/uploads/4425759/normal_6039b2c30d567.pdf
    • http://ihsteam.ru/resomf8m66.pdf
    • https://wekexodaxax.weebly.com/uploads/1/3/4/7/134713384/4755696.pdf
    • https://fumimukewagur.weebly.com/uploads/1/3/5/3/135321221/af9cccacdbf00.pdf
    • https://cdn-cms.f-static.net/uploads/4427498/normal_603bea89a2a6a.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/3494a55b-098d-4fe5-b48e-731daa7125a2/how_to_program_rca_universal_remote_to_dish_network_tv2.pdf
    • https://uploads.strikinglycdn.com/files/7790e3af-d9d7-4a36-a0eb-fcf9b631746a/nfpa_1001_firefighter_training_objectives.pdf
    • https://s3.amazonaws.com/zopenave/radovajudefubiv.pdf
    • https://s3.amazonaws.com/xujitezu/92318162750.pdf
    • https://uploads.strikinglycdn.com/files/deb66db9-1548-4a83-983f-1d3abc8aa05f/how_to_refuse_mail_and_return_to_sender.pdf
    • https://s3.amazonaws.com/vasofirida/404_error_page_template_bootstrap.pdf
    • https://uploads.strikinglycdn.com/files/671cab09-4cd0-457c-a44f-46f901b19bf9/4529667996.pdf
    • https://uploads.strikinglycdn.com/files/a07f2021-a371-4ba2-a357-325656574a92/pipubituwenog.pdf
    • https://uploads.strikinglycdn.com/files/2d165b61-126e-4284-980a-2f226781d19a/siwodunobufawuzeralewez.pdf
    • https://uploads.strikinglycdn.com/files/75e51873-4328-43f7-8337-17b9f95df197/what_does_it_mean_when_my_smoke_detector_chirps_3_times.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cf11.bin
7aac5c6ca193bfc13ce1545566a4fcb5932567960b88b92c1db9a2b48ef5f561		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCF11 5176 bytes
font_01_sfnt_off0000e0c1.bin
7ca6a3d242b739616fe866d5d8ec8768f2ce62fb2d6ad9cf5f6960b32dd614a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0C1 10524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.