Malicious PDF — malware analysis report

Static analysis result for SHA-256 251e307c0000c1da…

MALICIOUS

PDF

83.2 KB Created: 2021-03-24 01:45:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6de06038812ce36089f90f56a86e84f2 SHA-1: 7ef22011622dcdd76f5e18a5fe36415c451e52b5 SHA-256: 251e307c0000c1daedc44d8614cc1e4963f783e588cca1693edb9f4db2b5fe54
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier. It contains an embedded URI pointing to 'dafemum.ru', which is suspicious. The document body, though heavily garbled, suggests a lure related to 'Universal studios singapore map 2020 pdf', likely to trick users into visiting the malicious URL. No scripts were extracted, but the presence of external URIs and the overall detection profile indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8900

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=universal+studios+singapore+map+2020+pdf
    • https://cdn.sqhk.co/savaketiju/djbmhf5/free_download_wallpaper_for_iphone_6s_plus.pdf
    • http://burrrhey.tech/tarot_spread_for_career_and_moneyzsoex.pdf
    • https://juwulonureli.weebly.com/uploads/1/3/2/8/132815178/143b300aa2.pdf
    • http://gelchlen.fun/american_megatrends_bios_add_boot_option2it1a.pdf
    • http://prodson.fun/38505585667e7n58.pdf
    • https://nasavizar.weebly.com/uploads/1/3/5/3/135322571/99c90302fd753a.pdf
    • https://waxevinibiwe.weebly.com/uploads/1/3/0/9/130969944/4852303.pdf
    • http://myluckywin.site/103843368552e108.pdf
    • http://vitogap.22web.org/aadhaar_update_form_new.pdf
    • http://noturufupama.iblogger.org/37551271102.pdf
    • http://xilubibe.iblogger.org/hayward_power_flo_lx_sp1580_series_replacement_pump_parts.pdf
    • http://guwusovonolus.iblogger.org/zetujirufixivekimibagajom.pdf
    • https://cdn.sqhk.co/kisunika/jaigFib/barrens_leveling_guide_vanilla.pdf
    • https://nebuxegakox.weebly.com/uploads/1/3/4/4/134404726/mowewu-fanega-zixupu-metoli.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://rugadugekowe.epizy.com/60884966345.pdf
    • http://vutaxinasiva.epizy.com/accomplishment_report_example.pdf
    • http://zopuraxikesu.epizy.com/23611504648.pdf
    • http://mapedofagezil.rf.gd/92718033421.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011737.bin
47a92d138c911b265c584b58ca96fd683c5bfb71f74eb61e706b5c45026812bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11737 5688 bytes
font_01_sfnt_off00012a84.bin
5f6bcee65b79ed10e2fd98dce182dec3907bdbc2522ca195f7c904d7d2e45192		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A84 12404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.