Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e2fa1252a334880…

MALICIOUS

PDF

94.1 KB Created: 2021-03-07 12:13:40 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 020bf3116a848c3c93e0151be4cebeed SHA-1: e974449e7476a0fe736232868c9cca401feb56bd SHA-256: 1e2fa1252a33488088521def4a74e4d889dc3c49fe57ea5801eb82781564d7e2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URL `https://druttle.ru/aws?utm_term=how+to+pronounce+basic+korean+words` is a primary indicator of a phishing or malware distribution attempt. While no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest the document is designed to redirect users to potentially harmful external content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/aws?utm_term=how+to+pronounce+basic+korean+words
    • http://detonic-ordina.website/how_to_cite_internet_sources_in_an_essaykd638.pdf
    • http://premiumpornclips.com/67162271029zpr25.pdf
    • https://cdn.sqhk.co/talokelom/Fghgjpb/94193914958.pdf
    • http://nusobekod.22web.org/sex_education_technique_de_lhorloge.pdf
    • http://melowew.scienceontheweb.net/64300966865.pdf
    • https://lusovajilabijix.weebly.com/uploads/1/3/5/3/135351537/sawolumiw.pdf
    • http://vajogeboru.iblogger.org/65719029977.pdf
    • https://dawanuma.weebly.com/uploads/1/3/4/3/134305997/aca968d0d36bed.pdf
    • http://legalvictory.group/32293269079zk9y9.pdf
    • https://cdn.sqhk.co/pobopuwubox/i7Spvzn/slice_of_life_movies_bollywood.pdf
    • http://compte-cmbretagne.best/vidiq_plugin_chromegs5ap.pdf
    • https://mekowoto.weebly.com/uploads/1/3/0/7/130738632/6c8a8.pdf
    • http://free-at.pro/vidoxaxisilubibulirla2u.pdf
    • https://cdn.sqhk.co/jipogidara/ge8hijb/4908017453.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/e388b09e-8df1-4a36-b07c-837de13d7202/giwilusikobezajifulupopa.pdf
    • https://uploads.strikinglycdn.com/files/db1b7761-a9b1-4167-863c-04045d302f43/tarevixidujatof.pdf
    • http://tazomibege.epizy.com/define_personal_financial_report.pdf
    • http://womawujun.atwebpages.com/my_polaroid_speaker_wont_turn_on.pdf
    • https://uploads.strikinglycdn.com/files/0b09c73b-c21e-480a-8cc0-dda48d32236a/tp_link_tl_wr841n_v11_driver_router_tp-link_tl-wr841nd.pdf
    • https://uploads.strikinglycdn.com/files/51420b17-6a19-40ec-809d-8cfc7855fcca/44372472651.pdf
    • http://tuzotulerijenej.rf.gd/android_studio_set_debug_keystore.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001044c.bin
f1f53224948b288ea43c7cd24b6323db0e2aa1a3c609231fb6c1f9baec3cbfe0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1044C 10716 bytes
font_01_sfnt_off0001267d.bin
9dcda0787cdc5b508d2ca59ee1e00a7eb44be78f9b5230f493310e00c532220d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1267D 5176 bytes
font_02_sfnt_off00013827.bin
5801ffb169297b6732fe10909b8a4e676d303611490c84a0c3a4f25a8b9f912c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13827 10648 bytes
font_03_sfnt_off00015cac.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15CAC 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.