Malicious PDF — malware analysis report

Static analysis result for SHA-256 031f0474fdd1169b…

MALICIOUS

PDF

79.1 KB Created: 2021-03-21 22:46:08 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5120cabdd6c5c9b931e544a8def342b9 SHA-1: 9b4764cdd4b089f6af4dac2434ec129b375021f9 SHA-256: 031f0474fdd1169bd9373ccdb8fe59392ccf990289710421160ab34499658eab
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URI pointing to the malicious domain 'midufefew.ru', which is likely used to host a phishing page or deliver a payload. The document body is heavily obfuscated, but the presence of the malicious URL and the overall detection indicate a phishing or malware distribution attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/wix?keyword=heated+body+pillow+sunbeam
    • http://xejepurefe.scienceontheweb.net/statement_of_certifying_physician_for_therapeutic_shoes.pdf
    • http://fojefojegut.medianewsonline.com/56702440434.pdf
    • http://xeberul.mywebcommunity.org/a1275_transistor.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/38d1dc15-bdf0-4267-be64-ac62731ee650/conair_extreme_steam_instructions.pdf
    • https://uploads.strikinglycdn.com/files/ca2b8b5f-2dc5-47ce-8a40-0cacbf6b9e00/icewind_dale_enhanced_edition_multiplayer.pdf
    • https://s3.amazonaws.com/sutawowirosuvuv/email_template_salesforce_visualforce.pdf
    • https://uploads.strikinglycdn.com/files/4211fcc7-f863-48a5-9062-03805d0fa8a5/pemipavozizasakum.pdf
    • https://uploads.strikinglycdn.com/files/54df4172-9590-4668-98bb-bb21924eb431/25609247125.pdf
    • https://uploads.strikinglycdn.com/files/bc631e5c-a6b5-47d9-99e3-bf43ffaafe44/verb_forms_exercises_for_class_9.pdf
    • https://uploads.strikinglycdn.com/files/7b731214-cc55-412c-b321-714257f1d913/50367921410.pdf
    • https://uploads.strikinglycdn.com/files/25ddc092-b0c0-4278-b5ff-5104e96cc083/31945952633.pdf
    • https://uploads.strikinglycdn.com/files/503dfd09-7709-4789-8ef3-9e1f59c7be45/how_much_is_a_fire_ant_queen.pdf
    • https://s3.amazonaws.com/bovenotojitowe/best_forex_technical_analysis_tools.pdf
    • https://s3.amazonaws.com/jazuravazaguz/mawofixibi.pdf
    • https://s3.amazonaws.com/tobaziw/gogagegiripopede.pdf
    • https://s3.amazonaws.com/mexavofezoxi/19918864799.pdf
    • https://uploads.strikinglycdn.com/files/2be65ffc-0306-4041-83cd-dda9d77bf23e/how_to_reset_kitchenaid_mixer.pdf
    • http://nemebikox.epizy.com/bein_sports_tv_guide_rugby.pdf
    • http://tumobuwixakeg.atwebpages.com/distance_time_graph_worksheet.pdf
    • https://s3.amazonaws.com/bulalowisu/birthday_card_printable_template_word.pdf
    • https://uploads.strikinglycdn.com/files/c7ab3c58-11b2-48ad-b562-05f4be05ad88/swingline_lighttouch_heavy_duty_stapler_jammed.pdf
    • https://s3.amazonaws.com/megodipewukitoj/gopro_hero_3_startup_guide.pdf
    • http://meguwuzib.rf.gd/sazir.pdf
    • http://fixelelediv.epizy.com/wagner_wedding_march_piano.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f838.bin
7a1ad64c7baa6d05dbe3d940e4c151500d314fa4a8ea0d2fc7513f398bb74683		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF838 5304 bytes
font_01_sfnt_off00010a3d.bin
56c6c0e31b4ecae31ec3638eea1881dcaaaa052b32962a1cb300e220606113d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A3D 10388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.