Malicious PDF — malware analysis report

Static analysis result for SHA-256 0019b4b4218f8dd6…

MALICIOUS

PDF

82.3 KB Created: 2021-03-15 03:59:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf01beebac3cb3e9dce2cd30c9d1e305 SHA-1: 410d0d4ae3982aeed22ab864e8348f6c68c1cb92 SHA-256: 0019b4b4218f8dd6240192be97b5b8e600f19324b61e146b1eca486bcbe5a15a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The PDF contains an embedded URI pointing to 'dafemum.ru', which is likely a phishing or malware distribution site. While no scripts were explicitly extracted, the PDF structure and heuristic firings suggest it's designed to exploit vulnerabilities or trick users into visiting malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=alice+cooper+brutal+planet
    • https://cdn.sqhk.co/bifugudawesu/STjfvvu/zovaj.pdf
    • http://kind-insta.site/xizoxibaganakatozoramabojvpbk.pdf
    • http://usesucre.pro/wooldridge_j._m._2002._econometric_analysis_of_cross_section_and_panel_dataltl72.pdf
    • https://webebusili.weebly.com/uploads/1/3/0/9/130969565/ba56f.pdf
    • http://vodabutopidaru.getenjoyment.net/30061995311.pdf
    • https://cdn.sqhk.co/gusijigi/YgZOged/zidupidevelazo.pdf
    • https://cdn.sqhk.co/fawabanof/ghajggj/3153992989.pdf
    • http://cardio-active.site/what_is_the_best_self_emptying_robot_vacuumizjwl.pdf
    • http://mozovurezet.iblogger.org/pasteur_athoms_mbuma.pdf
    • http://favosiwuvaru.iblogger.org/asbestos_sheet_repair_kit.pdf
    • https://loguxofe.weebly.com/uploads/1/3/0/7/130775118/9912021.pdf
    • https://wisejagu.weebly.com/uploads/1/3/4/8/134881465/3c7fe1a8527ed1.pdf
    • https://cdn.sqhk.co/fegibowaxus/cOejhhq/jafadelibekowidizu.pdf
    • https://gadonivoxe.weebly.com/uploads/1/3/5/3/135331758/dawolubufusuta.pdf
    • http://fiwisud.getenjoyment.net/bsp_threads_chart.pdf
    • https://cdn.sqhk.co/tofigidukug/adm4ffo/usa_buttons_inc_west_bend_wi.pdf
    • http://lordtrans.ru/get_dun_and_bradstreet_credit_reportvnjdi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://vubelifijam.atwebpages.com/ronokupemulotoketetuviwe.pdf
    • http://pugomifo.epizy.com/luliwuvabuvazezupurez.pdf
    • http://negikapivipen.epizy.com/android_mobile_below_3000_4g.pdf
    • http://perexuwofogefo.onlinewebshop.net/54621824028.pdf
    • http://mejizanukak.rf.gd/how_to_read_data_from_excel_sheet_in_java_using_selenium_webdriver.pdf
    • http://kukalofawofami.epizy.com/pufalugepolipamoku.pdf
    • http://zerowegujij.onlinewebshop.net/75729812923.pdf
    • http://mekigif.epizy.com/tenej.pdf
    • http://fokoxowikelejex.rf.gd/last_of_us_trophy_guide_ps4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001049b.bin
5beade6167443d55e60a47a1ebbd979a628bff37e2b12e1b73089a93e3404fdb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1049B 4880 bytes
font_01_sfnt_off0001153d.bin
fc599edadff55d51b655f3ee359fd4b509f0d7f379c63fc08fc54c5ca2817b67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1153D 11068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.