Malicious PDF — malware analysis report

Static analysis result for SHA-256 44c38e779ae7d268…

MALICIOUS

PDF

83.9 KB Created: 2021-04-15 18:20:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 396d4733a4cc83b6263bae370b40c3fe SHA-1: 2878a243d90a938128681bb66215c7e91d666635 SHA-256: 44c38e779ae7d26859acb17597b98beeb13f1b395b01ce95112d275daf843f96
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that redirects to a suspicious domain, disguised as nutrition facts for Dunkin Donuts. This URL is likely intended to lead the user to a phishing or malware distribution site. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=dunkin+donuts+mocha+flavor+swirl+nutrition+facts PDF link annotation
    • http://defi-bet.world/what_were_the_key_issues_in_the_lincoln-douglas_debatesuyhyt.pdfIn PDF document text
    • http://taygerr.com/spanner_size_for_boltsr8mh7.pdfIn PDF document text
    • http://uabiomanix.xyz/suzowemiswmwxn.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366958/normal_6035ec29133fb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4384649/normal_6043a238012f6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4460447/normal_600ae4c5e80c2.pdfIn PDF document text
    • http://esclick.pro/jipibedcp62.pdfIn PDF document text
    • http://idealica-tufficiale.website/carbolic_smoke_ball_case62fyv.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/xifabilejilab/autocad_for_interior_design_tutorial.pdfIn PDF document text
    • https://s3.amazonaws.com/wuwabobujasivor/75278774538.pdfIn PDF document text
    • https://s3.amazonaws.com/xufaxoferugod/42617851809.pdfIn PDF document text
    • https://s3.amazonaws.com/bejikefowu/81068411386.pdfIn PDF document text
    • https://s3.amazonaws.com/dukexajuj/2012_chevy_silverado_lt_review.pdfIn PDF document text
    • https://s3.amazonaws.com/sojenozap/74270222930.pdfIn PDF document text
    • https://s3.amazonaws.com/xoferuzu/begiriwa.pdfIn PDF document text
    • https://s3.amazonaws.com/vonusirukete/king_lear_second_daughter_name.pdfIn PDF document text
    • https://s3.amazonaws.com/lopeteb/how_much_do_criminal_defense_lawyers_make_uk.pdfIn PDF document text
    • https://s3.amazonaws.com/fedure/37686927440.pdfIn PDF document text
    • https://s3.amazonaws.com/bisiku/74495524969.pdfIn PDF document text
    • https://s3.amazonaws.com/gewuwasi/vafupepewapu.pdfIn PDF document text
    • https://s3.amazonaws.com/wewuxuviwar/4114094749.pdfIn PDF document text
    • https://s3.amazonaws.com/pisedij/the_other_side_of_heaven_2_dvd.pdfIn PDF document text
    • https://s3.amazonaws.com/wajufifenoxuj/kerin.pdfIn PDF document text
    • https://s3.amazonaws.com/fomaralunex/wixawotilegajiledikeno.pdfIn PDF document text
    • https://s3.amazonaws.com/zewimu/13847502161.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001069b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1069B 5476 bytes
SHA-256: e6649412390eb524337b2c9d06010fd854c0780ae8146d591d0aa5d72afc7561
font_01_sfnt_off00011931.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11931 11392 bytes
SHA-256: 6f1959fa60b0bf3f471e8c0889df77cf8508fb6f87cecb9df94a9e1911400a0b