Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d61dcdfba76f923…

MALICIOUS

PDF

96.6 KB Created: 2021-03-25 07:26:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6fd40f7564a01f7c573caf9c3ef8bde2 SHA-1: b85fc0d039b21372d4eead9a88d1bb702aa7b479 SHA-256: 1d61dcdfba76f923763bf1035054783f2593219a7b9f0db82f544eb8c2defae6
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of external URIs, specifically `https://dafemum.ru/award?keyword=zx+spectrum+basic+programming+pdf`, suggests a phishing lure designed to trick users into downloading further malicious content. While no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=zx+spectrum+basic+programming+pdf
    • https://cdn.sqhk.co/nugizape/dhaZhdb/wapobasesojumoloxap.pdf
    • http://phrensy.co/adidas_watch_adp6000_manualvqevy.pdf
    • https://cdn.sqhk.co/remimidotomi/fbihhdT/neon_traffic_signs.pdf
    • http://yesnutural.space/xbox_series_s_vs_xbox_one_s_specs0dct8.pdf
    • https://cdn.sqhk.co/nimotixalulo/cWigBHH/no_man_s_sky_vr_ps4_pro.pdf
    • http://bizbize-yeteriz.org/in_a_titration_what_is_meant_by_the_term_primary_standardr4i9g.pdf
    • http://sreda.city/network_security_engineer_resume_indiao8fdc.pdf
    • http://jotijitod.66ghz.com/forrest_gump_imdb_parents_guide.pdf
    • https://cdn.sqhk.co/zenujulikik/hgcjdVd/lawigulawexaz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://toxukanubevaga.rf.gd/29843039913.pdf
    • https://uploads.strikinglycdn.com/files/0104503c-dc8a-452b-9472-fc33627ddd83/will_genie_remote_work_with_overhead_door.pdf
    • http://darumanu.rf.gd/panasonic_toughbook_fz-g1_accessories.pdf
    • http://ziwejozaz.epizy.com/vusuw.pdf
    • http://lujuxug.epizy.com/bosch_classixx_5_manual.pdf
    • http://malajusojak.epizy.com/harper_biochemistry_ebook_free.pdf
    • https://uploads.strikinglycdn.com/files/06d27e81-21b4-4cac-b304-7976591fa287/1994_suzuki_quadrunner_250_plastics.pdf
    • https://uploads.strikinglycdn.com/files/8da2c5a5-9eb7-4b75-8dab-33649f9695b9/black_and_decker_rice_cooker_plus_rc426_instructions.pdf
    • https://uploads.strikinglycdn.com/files/139546d1-4cd9-4212-a508-659fb25c0d43/lemamopevagidut.pdf
    • http://jefelaxe.epizy.com/fokusurarisizul.pdf
    • https://uploads.strikinglycdn.com/files/2d7e2a02-9f01-4520-908e-df28e81176c3/93599753875.pdf
    • https://uploads.strikinglycdn.com/files/ce814899-be9d-4297-b14e-e1eda870cca5/how_do_you_learn_korean_on_your_own.pdf
    • https://uploads.strikinglycdn.com/files/178e2203-6f91-4070-9b6b-7871629473fb/hanuman_chalisa_in_kannada.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013866.bin
5339a1ae906dadcf0065df10a40484e99543874e83f1bfa8486d0ac3fea56ac4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13866 5608 bytes
font_01_sfnt_off00014b64.bin
957b6058799ba232ff3c0dced8b1b487bb93a8a0686e3eaf70883ccf8e7ab8f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B64 12404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.