Malicious PDF — malware analysis report

Static analysis result for SHA-256 48f33ee1f4fed3ec…

MALICIOUS

PDF

75.0 KB Created: 2021-03-15 18:20:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 272a908247b1becee77ba20b3891a20d SHA-1: bdc679560e66ee0031eb5b4da0eca13dadfa1bea SHA-256: 48f33ee1f4fed3ecde1e9cdd2eccb8543f2dcd613ed9f094de0224d1a07003e1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URI pointing to 'dugedepap.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to technical documents, aiming to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9217

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=antenna+types+and+their+applications+pdf
    • http://parkingtest.xyz/tonuvavabj7nd.pdf
    • https://cdn-cms.f-static.net/uploads/4446401/normal_5fd1d4079734a.pdf
    • http://my-favshop.online/386385499797z2hl.pdf
    • https://cdn-cms.f-static.net/uploads/4391649/normal_5fe8fc9134468.pdf
    • https://cdn-cms.f-static.net/uploads/4420934/normal_601b298774db0.pdf
    • https://cdn-cms.f-static.net/uploads/4481985/normal_601335e28edeb.pdf
    • http://hellesypakk.online/craftsman_briggs_and_stratton_power_washer_wont_starthmg8o.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://30b7a97f-6117-4fff-8876-4b3c2220b6c6.filesusr.com/ugd/15cd4d_aecf8b14ebe14cb5ae96d8ab3e86db8c.pdf?index=true
    • https://0e098354-e5d1-4afc-9be7-763a70ae5e44.filesusr.com/ugd/ef253e_9f3456879ee240cf86d9137cf8edc9f8.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f7e76d6d-b8d6-4435-b619-421adfb4d52c/87331184996.pdf
    • https://e082b6be-64c0-45f6-a8ff-82b9c6f476f0.filesusr.com/ugd/1479de_1f819074d8314150a97f0df571cfdaba.pdf?index=true
    • http://tufifexafepo.epizy.com/74584142157.pdf
    • http://gujugune.rf.gd/jet_engine_sound_effect_free.pdf
    • https://348ddb29-83e1-4812-94a1-743b72ef9b42.filesusr.com/ugd/23b571_0c25c386912a449f887a583441418845.pdf?index=true
    • https://d4508431-0eee-4913-ac2a-2ec907ed9b18.filesusr.com/ugd/12daa7_aab8aa06334b432ab356e0ea78f7f2b1.pdf?index=true
    • https://45dcde1a-aed5-4138-b95e-a0f768a283bf.filesusr.com/ugd/89441e_a124952eba564b0dace4ca60dc893706.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bf871860-ea00-465f-ada3-6354e7042572/count_number_of_non_zeros_in_numpy_array.pdf
    • https://80f75f89-a1e3-4611-a0ef-7a704eb82da9.filesusr.com/ugd/0286dd_f0bca1376ff14f299c591ae909793dfc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c1eeea12-c386-4cb1-a37e-6ee2c04fa1d6/rifajememebivogubusip.pdf
    • https://67d298e0-85f4-4ad4-bf36-e1ac857e42fc.filesusr.com/ugd/b6bf5b_dd243296ea6a47148996b8ac2a96465e.pdf?index=true
    • https://uploads.strikinglycdn.com/files/764268f1-c18e-4c8b-9c12-8a5b98273bac/rojole.pdf
    • https://05790d5e-93e9-4545-bcc4-99c37f081c18.filesusr.com/ugd/bff4d5_e45c887ca1df4fc3b9b8e1e97b642085.pdf?index=true
    • http://laganomezavarof.epizy.com/nurokakiwijavubulofotonev.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f288.bin
30d05bf843946437f8208e4864161e40e32b633d69972bc3af71c0fe4214ce7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF288 5336 bytes
font_01_sfnt_off000104b6.bin
179d9fc5148b1c08c7ae662ea7855481cf615697f7a6e6c1d1a14a4e9a0d3f61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104B6 10776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.