Malicious PDF — malware analysis report

Static analysis result for SHA-256 185207dc3941e525…

MALICIOUS

PDF

88.6 KB Created: 2021-04-06 21:31:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c12e8e4f0c8a74df3fe366398a97856e SHA-1: b8135f7b096d67d001f9e8abe5b7c77355044b62 SHA-256: 185207dc3941e5254880c1a0eed3d9d55a1e09e63673e0892be3b595e3efb459
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains embedded URLs, one of which is flagged as malicious. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though partially corrupted, suggests a lure related to a drone manual, likely to trick users into clicking the malicious link. No scripts were extracted, but the presence of external URIs points to a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/wix?keyword=syma+d360+drone+manual
    • http://momsmall.space/94855107687dm0ja.pdf
    • https://cdn.sqhk.co/fejovuwov/ciiJB98/69037752934.pdf
    • http://datingsexchat.site/13192798636kc0p.pdf
    • https://cdn.sqhk.co/pabilere/fhhvhjM/67062816241.pdf
    • https://cdn.sqhk.co/bogulevim/Mbhaxjd/pull_the_pin_free_online_games.pdf
    • https://cdn-cms.f-static.net/uploads/4386086/normal_6012083e74ce5.pdf
    • https://cdn-cms.f-static.net/uploads/4503874/normal_6042d33f78fb2.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://puwokamavureme.rf.gd/chung_1974_a_course_in_probability_theory.pdf
    • https://37dcb74a-b492-4e6c-94d7-6984b04a3d7f.filesusr.com/ugd/01eaca_28b0dd98c0e048c79dc95147c70e2742.pdf?index=true
    • https://da9d63b4-fbfd-4f6f-88e7-06ac0d76355b.filesusr.com/ugd/ca300b_86ce517a6a434abba6ec49a712a66cb4.pdf?index=true
    • https://s3.amazonaws.com/rekawexuretowo/lamafejaxap.pdf
    • https://2a4c341d-9af7-4f89-b48a-1b926ad6ced7.filesusr.com/ugd/dd6616_6f911449a3114abd840e93dce1fcfc2b.pdf?index=true
    • https://s3.amazonaws.com/difigomisosak/73902833396.pdf
    • https://ba10d46a-d7c1-43af-8542-f1a50f31aa8a.filesusr.com/ugd/4dded2_f6bb61ea5efe491696a0d5a49e4f2790.pdf?index=true
    • http://zupifokurox.rf.gd/failure_to_attend_school_sentencing_guidelines.pdf
    • https://s3.amazonaws.com/siwixomudit/diploma_in_mechanical_engineering_jobs_in_mumbai_for_freshers.pdf
    • https://ba739632-11db-41f7-a023-683a20e55d36.filesusr.com/ugd/99835b_237eefa281ad4e3784763e0b0eae89ff.pdf?index=true
    • http://tufukeg.epizy.com/wirexijogiroxozuwar.pdf
    • http://filanak.rf.gd/96447120529.pdf
    • https://s3.amazonaws.com/kodipopujufipig/lagu_8_ball_kangen_band_anjing.pdf
    • https://s3.amazonaws.com/novipaliwid/troy_bilt_grass_bag_and_frame.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010cc8.bin
efd68533ec05d07de58e6d5b7a0945d523788ec95456963a788ed0dd16887682		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CC8 5212 bytes
font_01_sfnt_off00011e4d.bin
6914b03a65129ee950657282d605604660c4882c476ee0032d46f49477dac2a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E4D 12740 bytes
font_02_sfnt_off000146de.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146DE 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.