Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c95ce0f789a18bf…

MALICIOUS

PDF

73.1 KB Created: 2021-04-06 15:18:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d1f3bdab3ab5b22f6fd3eb389b2216a SHA-1: acad88256b0db0eb834e4d57666c24b69944c0d0 SHA-256: 3c95ce0f789a18bf80cf587eda44f3f71a613194f2621457b1c1b1bde0b61eaf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'dafemum.ru', which is likely the distribution point for a malicious payload or a phishing page. The document body, though heavily obfuscated, suggests a lure related to a 'True devotion to mary book pdf'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/aws?utm_term=true+devotion+to+mary+book+pdf
    • https://cdn-cms.f-static.net/uploads/4366961/normal_601e33936ef29.pdf
    • https://static.s123-cdn-static.com/uploads/4426260/normal_5ff612ad69711.pdf
    • http://sqrab.top/19631061427rcagg.pdf
    • http://bunnygummy.ru/63613619370qjr0g.pdf
    • https://static.s123-cdn-static.com/uploads/4443814/normal_5fec870660b38.pdf
    • https://cdn-cms.f-static.net/uploads/4414161/normal_5fd904c3010cc.pdf
    • https://cdn.sqhk.co/pamezuravuno/Vedhb8l/84494050270.pdf
    • https://static.s123-cdn-static.com/uploads/4496153/normal_5ff1c1198b553.pdf
    • http://damvglaz1.xyz/ge_5326_41l38fnlp.pdf
    • https://static.s123-cdn-static.com/uploads/4409628/normal_60011e3738381.pdf
    • https://cdn.sqhk.co/rabawula/4DviaDf/spider_man_venom_game.pdf
    • https://cdn-cms.f-static.net/uploads/4451561/normal_5fd5f1ef61753.pdf
    • https://cdn.sqhk.co/numokafas/ifwBeha/84877201826.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://a72a44ae-2aae-4d6a-a6c4-235301d0a62e.filesusr.com/ugd/57436b_f4c6e4ed5be3450cbdff3c45982305a3.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b698e69f-0ce8-44b1-8bff-08842d6017ca/un_grito_desesperado_resumenes_por_capitulos.pdf
    • https://044e8d80-c429-4a1f-820d-9b443c65b389.filesusr.com/ugd/53c654_10a9db64f92a46b7b796d6058cff478e.pdf?index=true
    • https://c2963e02-5f2a-49ff-bb4d-22715b80ab3a.filesusr.com/ugd/55efe4_d9496bcf11c84cf1b284bb402eb3df04.pdf?index=true
    • https://uploads.strikinglycdn.com/files/2d57403e-935f-4e80-9b44-431d768a71bc/87213841104.pdf
    • https://uploads.strikinglycdn.com/files/772da67f-522d-4431-83a7-2383156bd091/verb_to_abstract_noun_list.pdf
    • https://cdb53ace-3f3f-41e1-823e-0ecf3add8ba2.filesusr.com/ugd/47e9e0_46b782eade5148ea91334b355c8ce0ff.pdf?index=true
    • https://f98f40d2-b649-4e6b-99af-b89bbf2331ff.filesusr.com/ugd/724bd4_65110d4a977841848c050835174ece71.pdf?index=true
    • https://uploads.strikinglycdn.com/files/d9a0f9c9-e8db-4ef7-93c9-21de21bda6e9/how_to_factory_reset_kwikset_smartcode_909.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e0a5.bin
17cdbee245fbec34228c970628c4f43d319f614571adae1beff7ffb3d407502c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0A5 5292 bytes
font_01_sfnt_off0000f29a.bin
7842e863cb944bbf1e966beb959412d4013dd3bab9e34bf028e1533ffbdd7559		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF29A 10516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.