Malicious PDF — malware analysis report

Static analysis result for SHA-256 1941e842d24ec5a5…

MALICIOUS

PDF

82.3 KB Created: 2021-03-14 06:50:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 69a0f78585eb73a8ed38c1639b7e3196 SHA-1: d646f1a0fda8c777cf74f2f2da6af9b0248ffaff SHA-256: 1941e842d24ec5a5c9af6a0a85a66fcbcf57192f02adb1eeb986e0f6e846ce69
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL `https://druttle.ru/wix?keyword=a+frozen+flower` suggests a phishing or redirection attempt. While no scripts were explicitly extracted, the PDF structure and embedded URLs are commonly used for delivering malicious content or leading users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=a+frozen+flower
    • http://bitalotava.scienceontheweb.net/nadekuzijodixizodojixasif.pdf
    • http://xexapitanegis.getenjoyment.net/47992371324.pdf
    • https://gebiworopefibo.weebly.com/uploads/1/3/4/5/134583098/bifalutolasak.pdf
    • http://femonejigajape.mywebcommunity.org/kikitedujoxumojigokariw.pdf
    • https://tipiridevozono.weebly.com/uploads/1/3/4/3/134349557/7236619.pdf
    • http://dorugatutaxovi.scienceontheweb.net/lobojisusaxinomatajasi.pdf
    • https://taboloralo.weebly.com/uploads/1/3/2/7/132741194/5b914375704cee.pdf
    • https://xibowawagapuj.weebly.com/uploads/1/3/1/3/131383975/3292908.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/poresi/gypsy_moth_life_cycle_michigan.pdf
    • https://uploads.strikinglycdn.com/files/39e57411-09e6-42d0-8a47-c2b3c70c932f/my_pet_dog_essay_for_grade_2.pdf
    • http://zexenafejesited.rf.gd/honeywell_focuspro_6000_factory_reset.pdf
    • https://uploads.strikinglycdn.com/files/a9be7fb4-f504-466d-afbb-2cee095ec0d9/mini_maus_images.pdf
    • https://uploads.strikinglycdn.com/files/80452d34-8e70-4085-8fa0-72266b1f8cc8/37434743671.pdf
    • https://uploads.strikinglycdn.com/files/679e0ec3-dd91-4098-b9c4-92e51762b73e/74563702172.pdf
    • https://s3.amazonaws.com/kawotexulozax/telugu_movie_video_songs_2018.pdf
    • https://e4fb9bf1-a3d6-4767-9bf2-2a1021e5dc09.filesusr.com/ugd/53cfc7_953534d0d2f54ec7ba368843a1629cb0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/42febc1c-da30-4198-aa73-23dba8f65641/79717696905.pdf
    • https://s3.amazonaws.com/jowutoneranemuk/fijusujaguba.pdf
    • https://s3.amazonaws.com/tixeligufokup/64658967331.pdf
    • http://mipuvofelope.epizy.com/xewinorezodeniganu.pdf
    • https://9b321a86-0615-40a7-b684-6dced782f4cc.filesusr.com/ugd/e3cae3_4438645072ba4d628247a01baddcd50a.pdf?index=true
    • http://bisiziwaros.epizy.com/texubevifuselutotaro.pdf
    • https://ea64ff4c-51e6-4efc-8cc1-399682447901.filesusr.com/ugd/961f18_ccd4f0877edb4ef5a91f80e2d8016ae7.pdf?index=true
    • https://s3.amazonaws.com/gofiguj/widenewadewap.pdf
    • https://599b09cd-7b6a-4758-94a3-08a08d316165.filesusr.com/ugd/628a76_17c0996fee824511bc737d2a4892a3c2.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f6cd.bin
d15488b87eedf7c6d11ba1335c2e226015741ac03fe2ef21a43bceb44816383e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6CD 4216 bytes
font_01_sfnt_off000105c0.bin
f9da920efee4931a2701092ce9cf0b33b43a3d56de0b32a54d54904984958365		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105C0 4504 bytes
font_02_sfnt_off00011538.bin
e255c576656fb947d1a3c47450296274a03d6f056b0b0e63ae7702996ec45e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11538 10964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.