Malicious PDF — malware analysis report

Static analysis result for SHA-256 335c13093edeb37a…

MALICIOUS

PDF

86.8 KB Created: 2021-04-03 11:26:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 24cfc9434ea022650ada6d1910b8a241 SHA-1: d43c5175bcff7f4a518b109258d00a3c48b95acd SHA-256: 335c13093edeb37afbb216383237c52660273037fe1e4cfad724f6fd9d22c539
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains embedded URLs, one of which, 'https://druttle.ru/wix?keyword=how+to+use+minecraft+charm+mods+on+pc', is suspicious and likely part of the lure. The presence of a visual download button further supports a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/wix?keyword=how+to+use+minecraft+charm+mods+on+pc
    • https://static.s123-cdn-static.com/uploads/4481154/normal_5fe2c1f8e2e31.pdf
    • http://nutristrike-shop.ru/cisco_ccna_book_2019bfri4.pdf
    • http://lojasamericanasbr.com/mikuni_carburetor_diagramz969m.pdf
    • http://vibigobefe.22web.org/destiny_2_gameplay_guide.pdf
    • http://kefojixesopu.66ghz.com/30196450200.pdf
    • https://cdn-cms.f-static.net/uploads/4418192/normal_604b734378038.pdf
    • http://onlyforyou.space/why_is_annabel_lee_a_romantic_poem3wmoo.pdf
    • https://cdn-cms.f-static.net/uploads/4372963/normal_601299cccbaa6.pdf
    • http://svarka-aurora.online/murray_mower_parts_listolceg.pdf
    • https://cdn-cms.f-static.net/uploads/4446930/normal_5fdc7ed85fae1.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://wirobateruku.rf.gd/mazupinonifowujijusoxala.pdf
    • https://6fd4412c-3e6e-4f21-a9af-8137ffc6c0d9.filesusr.com/ugd/03469c_b2cee3f8c0cc4f0d8f71f711279017a7.pdf?index=true
    • https://s3.amazonaws.com/kagedatabujo/4215825909.pdf
    • https://s3.amazonaws.com/falufusu/65036043029.pdf
    • https://uploads.strikinglycdn.com/files/131e5868-ca5c-47a9-9957-aff85eed6fef/81006352490.pdf
    • http://baponexar.epizy.com/rekufilevupemu.pdf
    • https://s3.amazonaws.com/megodipewukitoj/how_do_i_reset_my_spacetalk_watch.pdf
    • https://e216d865-ddc7-438b-99b2-64609380b1bb.filesusr.com/ugd/7ae8b3_b38b2701dc0a4cf28b88cbc80f591563.pdf?index=true
    • https://6205d428-d5dc-494e-bbc3-e2236f9d811e.filesusr.com/ugd/6885a6_e3e664fd3c434bf3a72a5986676ff39e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2f4f707d-9367-42b3-be38-b3b2f28d321b/86923839730.pdf
    • http://dijutago.rf.gd/dexazaxowam.pdf
    • https://s3.amazonaws.com/wemupajese/applied_energistics_2_beginners_guide.pdf
    • https://uploads.strikinglycdn.com/files/503fac0d-a8ad-4733-b45f-e540377ce060/danny_and_the_deep_blue_sea.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fee6.bin
6190c3a2929f92c7252e1f4aa7d4210898ab920ad6a8c31dbe473ad1df465849		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFEE6 5416 bytes
font_01_sfnt_off00011136.bin
970bea7ef177ef10959f8c472c09cf19fc3053db1ea84350a115154ca9892b0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11136 11124 bytes
font_02_sfnt_off00013730.bin
6f41d85279102efce3c4bd26fddb767baf9b68a4f55e239fba9bedc2a2d3b953		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13730 16064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.