Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d882328f39a7a60…

MALICIOUS

PDF

95.8 KB Created: 2021-03-25 07:03:55 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 55dfc25356819d0add4acd8012e915ad SHA-1: 6391473be174de3c7969d37092138e7d79f3137f SHA-256: 2d882328f39a7a609f6515b19f12f0b14fca70ff658eecbad8ef74f4edd9f878
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a heuristic indicating an external URI, specifically 'https://golowaki.ru/wix?keyword=the+gilded+age+part+1+worksheet+answers'. The document body, though heavily obfuscated, suggests a lure related to 'the gilded age part 1 worksheet answers'. The combination of these elements points to a phishing attempt where the user is directed to a potentially malicious URL under the guise of educational content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=the+gilded+age+part+1+worksheet+answers
    • https://cdn-cms.f-static.net/uploads/4408184/normal_6046c5dd7eb77.pdf
    • https://static.s123-cdn-static.com/uploads/4422392/normal_5fe074fdedc65.pdf
    • http://kexagatedonekun.iblogger.org/magistrate_report_and_recommendation_florida.pdf
    • https://cdn-cms.f-static.net/uploads/4412996/normal_6040f7959688b.pdf
    • https://cdn-cms.f-static.net/uploads/4487419/normal_605893ac2710d.pdf
    • http://xadimilok.iblogger.org/35743759680.pdf
    • http://dumokasazosates.iblogger.org/ruxizaxos.pdf
    • https://cdn-cms.f-static.net/uploads/4417045/normal_6051ca5588f7a.pdf
    • http://axecheat7.xyz/31537908133wmaka.pdf
    • http://businessmentality.com/juzudebomekubujafukagefek0r51g.pdf
    • http://lejesuxesegofaf.22web.org/asgard_archaea_illuminate_the_origin_of_eukaryotic_cellular_complexity.pdf
    • http://chatik85939775.fun/74197664209v68jd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/e6b4fb90-a7a5-4bdc-86b3-ef3fd4e57049/does_toshiba_smart_tv_have_android.pdf
    • https://uploads.strikinglycdn.com/files/0bfe33a4-e48d-412c-b890-ddd25d220351/71563464200.pdf
    • https://uploads.strikinglycdn.com/files/4c837e9b-0dae-40e7-bc36-3bbf7559f3c5/lightbown_p.__spada_n._2013._how_languages_are_learned._oxford._4th_edition.pdf
    • https://uploads.strikinglycdn.com/files/a4ff1481-e3f9-4b36-a185-6dc7bfaa1714/how_to_connect_to_parrot_ck3100.pdf
    • https://uploads.strikinglycdn.com/files/5f919c29-e54f-415d-8273-3bed4cc2e3e4/42163707995.pdf
    • https://uploads.strikinglycdn.com/files/90ae7e26-5beb-4ecf-bb3a-83b9817d388c/introduction_to_management_accounting_answers.pdf
    • https://uploads.strikinglycdn.com/files/0b0e9a5e-6aa4-4bd4-8bf7-4b82f15bb9cd/wasumokavusejodononevog.pdf
    • https://uploads.strikinglycdn.com/files/b84445ba-e7a1-4fd8-8111-c1ffcaf1473d/maxonidixugeseduvebilokup.pdf
    • https://uploads.strikinglycdn.com/files/9683835e-2a70-41e9-b299-b8889e154308/razapatuwodujoda.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012681.bin
3ee4c33a8af190fa49c7ea243b695cb39672efda64897db4cd19dd23de3499b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12681 5164 bytes
font_01_sfnt_off00013820.bin
29dc11cc9d28bb3855cbb9b576ec9ac7ec70a069456edb66d997c826e5d48974		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13820 12460 bytes
font_02_sfnt_off000161c8.bin
4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x161C8 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.