Malicious PDF — malware analysis report

Static analysis result for SHA-256 319d0c2c4eb3dd20…

MALICIOUS

PDF

83.5 KB Created: 2021-07-21 16:22:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: e3adf3af389ae00c8606a2acac58dac7 SHA-1: 8e60a7b17b0201057354a11494c37f0d90bdece6 SHA-256: 319d0c2c4eb3dd20ae7f5b0418a151c2f00bb4cddf43e85b742e096651007b13
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. An external URI pointing to 'drafthe.ru' was extracted, suggesting a phishing or malware distribution attempt. The document body was unreadable, but the presence of an embedded URL is a strong indicator of a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/square?utm_term=general+form+to+slope+point+form
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e95ebbf229ba2ea838cedf/1625906875891/8415545030.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f14a971d653208009d20ad/1626426007530/subchorionic_hemorrhage_miscarriage.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f0c51406e5cb5c825f3b08/1626391828777/31793828961.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f49781699a8678c5891f11/1626642305328/five_warm_up_exercises.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f564bfe13ee97666203e2c/1626694847393/15311071972.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f008696611482e0a913608/1626343529176/1311317059.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ecfb9f5eed834fcc310909/1626143647784/deny_meaning_in_bengali.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f6c91262cda9122b26cf26/1626786066522/vifob.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60ecb5eced332b23a5bcdc95/1626125804372/jewasomatexujula.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f11ee51c98e64adee81989/1626414821680/wwe_2k_apk_for_android.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f34687fb6d8f5e80580913/1626556039536/what_do_new_mexico_lizards_eat.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f369a96167905317dc0d2e/1626565033432/how_to_take_a_screenshot_of_a_snapchat_story.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60eddd88670c344ea75cf8c7/1626201480544/pafejivukap.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60ec70ffc3fb560d26f0e4d0/1626108159724/mobuf.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60e8ee87e51f1f218d67b6eb/1625878151624/marketing_and_sales_strategy.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f7a9f8f603c47074e74038/1626843640826/83962111480.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60efd1e1a9bc231ac1cd4dd2/1626329569313/heroes_of_might_and_magic_hd_mod.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f5421b5f13a15bd836072d/1626685979867/20233914486.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f235680a88cb63e5be4367/1626486120280/zubarulujakiloba.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f4fe8ea9adb72803bad8bd/1626668686199/what_is_a_side_strain.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f4473225edf12306639362/1626621746409/7.4_quarts_to_gallons.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4ab.bin
729f8bce7d2fad16375cfc32adde106a371fcaa50969d0d1e5691a3febd32131		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4AB 16696 bytes
font_01_sfnt_off00011041.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11041 16792 bytes
font_02_sfnt_off00012858.bin
dead9cc8f3446ad13fa0d67f95e222791837accc65babd50d96ab35ed19a6713		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12858 10556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.