Malicious PDF — malware analysis report

Static analysis result for SHA-256 042432060ef7bd3c…

MALICIOUS

PDF

192.7 KB Created: 2021-03-17 20:17:15 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69b107212ef1d1c0232985edb30fcdc0 SHA-1: 24579364fc0c972bc8bc17eed309c92ec5a3edbd SHA-256: 042432060ef7bd3c5bf593ef08bf1ef30eab557ed67b9e78115c9f59d1c3c5c1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a specific detection name indicating it's a phishing trojan. An external URI pointing to 'golowaki.ru' was extracted, suggesting a lure to a malicious website. The document body, though heavily obfuscated, contains text related to citation generation, aligning with the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/award?keyword=citing+pdf+mla+generator
    • https://wesuzimowigimeb.weebly.com/uploads/1/3/4/7/134745326/6b13263b5e2.pdf
    • https://xurozakewera.weebly.com/uploads/1/3/1/4/131414240/ruruzuv.pdf
    • http://zawuruliwisevo.iblogger.org/pisuvesamebezikexizunot.pdf
    • https://tibufidis.weebly.com/uploads/1/3/0/7/130740046/kugozugedema-gobufumupepe-bonifegikubuv.pdf
    • https://static.s123-cdn-static.com/uploads/4487918/normal_5ffac125c4f52.pdf
    • https://renobikedasel.weebly.com/uploads/1/3/4/8/134897329/7332189.pdf
    • https://jefabogab.weebly.com/uploads/1/3/1/6/131636769/3373631.pdf
    • http://rigametovezo.22web.org/fokaxikelivemenunogibo.pdf
    • http://dutalamujuso.66ghz.com/diablo_3_switch_farming_guide.pdf
    • https://static.s123-cdn-static.com/uploads/4471945/normal_5fc9c1add3779.pdf
    • https://nozijuga.weebly.com/uploads/1/3/4/6/134698325/pojelitigalagobek.pdf
    • https://static.s123-cdn-static.com/uploads/4384301/normal_5fddf0801d9ca.pdf
    • https://fanuxerejupu.weebly.com/uploads/1/3/1/3/131398214/rubujowavunas.pdf
    • https://cdn-cms.f-static.net/uploads/4369313/normal_60419a2996191.pdf
    • https://maninidepot.weebly.com/uploads/1/3/4/7/134702581/ginewukoz.pdf
    • http://rerulekoba.66ghz.com/22475329125.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://dd3528e8-ded0-4753-843e-0d3cb9f542e7.filesusr.com/ugd/4d6844_90e8711cc0c0433482f5fc2b78c65c62.pdf?index=true
    • https://78fa80b2-8629-447b-ad63-53e91e8d4948.filesusr.com/ugd/8f02de_a31e682bd35d4fe1993fae557d03dc4d.pdf?index=true
    • https://3edbbcf3-b5b1-446e-9630-835d38fa79e0.filesusr.com/ugd/6908d7_3dfdb63354c444ed9c7f1c7c3f4fba09.pdf?index=true
    • http://sepevelozexim.epizy.com/9106279783.pdf
    • https://c0771fee-1ba5-4dbf-bba5-a775c3d44c03.filesusr.com/ugd/544e7e_505d526a1c5d4ae9a10862ff7aae88a1.pdf?index=true
    • https://2d2b1dae-c014-4902-97e6-c3f1d56915cd.filesusr.com/ugd/70e5f7_798352528bfd49e6b648cbdfbad506f0.pdf?index=true
    • https://30cc9e9c-6145-4029-bfdc-d0561bdb3a10.filesusr.com/ugd/0dcf4b_f134629354c04cdea6986e94bc835c0f.pdf?index=true
    • https://1682489e-d94b-4f22-b6a6-c8ecb623ca2e.filesusr.com/ugd/5f226e_9cf304b061c5412c98d0a307f2890b35.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011db7.bin
ec9e33513cdf9aabedd2b2a8fb947a81ec4f58c0fdb96d75c0c6605b3539a1ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11DB7 141824 bytes
font_01_sfnt_off0002c075.bin
d035f690e2d8ad81d4dde16f5ef18011dd6f3675287fe4db8d83379798ac89ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C075 5088 bytes
font_02_sfnt_off0002d1af.bin
172f1f35ab79893cc9f4df4a779e05e5c3a7c6970b3d6d42fda929ed37ceb2a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D1AF 10268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.