Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a32850b47de0371…

MALICIOUS

PDF

112.3 KB Created: 2021-03-30 11:33:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c82ba3fd3a2d5b930a402d37743c528d SHA-1: d860eb50418bd3c2dbad998d6a005b0d0e136bcb SHA-256: 3a32850b47de03712c1d0057dff75a3a11c82d2c8db9744b3f22e551dabe782d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan distribution attempt. It contains an external URI pointing to a suspicious domain, likely intended to host a malicious payload or redirect the user to a phishing site. The document body is heavily obfuscated, but the presence of embedded URLs and the overall detection suggest a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=ghazwa+khandaq+pdf
    • http://workshop-fb.ru/melodiwebirejepjmdl.pdf
    • http://pegijegur.mygamesonline.org/2020_bears_schedule.pdf
    • http://lilozekakotelup.sportsontheweb.net/apdcl_advertisement_2020.pdf
    • http://1yamal.space/6114255617sw1lm.pdf
    • http://abzac.me/rogeta6snpe.pdf
    • http://tesekal.mygamesonline.org/48519265279.pdf
    • http://giwudogor.scienceontheweb.net/11564400126.pdf
    • http://sepozimog.scienceontheweb.net/sizitapazipakigo.pdf
    • http://ladiluvame.mypressonline.com/instructions_rca_universal_remote_control.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://5c3e38fa-bf2d-4cda-bfdc-19e9a39f2227.filesusr.com/ugd/b3ada4_7a9a02fe6aa14c9ba27e700740a26772.pdf?index=true
    • https://aefbb2f1-1cfc-4a48-aab2-d72547d84173.filesusr.com/ugd/2f3ac6_ffdc1d50505c4f85b13baa23c0debfc2.pdf?index=true
    • https://972af30b-04c2-4618-b911-83ba0b7fef9e.filesusr.com/ugd/84a5c6_2342b3e7a0d1444d8b52a8caf7090946.pdf?index=true
    • https://s3.amazonaws.com/miledu/basic_electronics_repair_guide.pdf
    • https://s3.amazonaws.com/zupenafud/44749517214.pdf
    • https://0df22b04-17ae-4e65-9af8-3af4445b4601.filesusr.com/ugd/71fd01_3c61e3efec604bb9b7b9ef475f26ad9f.pdf?index=true
    • https://s3.amazonaws.com/tojazudibumogab/33298619419.pdf
    • https://466f9527-ada3-48b4-ac0c-4ba5546996ca.filesusr.com/ugd/a4b6b9_acc8650d7750485f9b716263a5438f65.pdf?index=true
    • https://bd7a0a6f-bbfd-49cc-ba41-c3f2778102d9.filesusr.com/ugd/9ea91e_e49105212b0a438d86be030a0cb376ee.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000150b8.bin
7a79c2229dbf523fff5cec45797d5ec655e718b84289aa4983f91e7acdf303b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x150B8 4616 bytes
font_01_sfnt_off0001606f.bin
2c2f21e157215bf11e62a2ab143fb3f941a0ede1c183ee4afd71960660ec2d84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1606F 12084 bytes
font_02_sfnt_off000188d1.bin
83116e4c4108d91ecc31fa56b068367c3716ccac833eb888d7bb64a19c9ecaca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x188D1 18548 bytes
font_03_sfnt_off0001a5aa.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A5AA 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.