Malicious PDF — malware analysis report

Static analysis result for SHA-256 49c52010d5b8908a…

MALICIOUS

PDF

76.4 KB Created: 2021-03-18 12:23:03 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: de53603ea8c35b095ee9daa5d222e599 SHA-1: a94ab95cfd137265d3e0e655c6f2ce8b65893f25 SHA-256: 49c52010d5b8908aa2178b341488a17449e3d9aa9ccb00d611c601b2a530c3ea
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded URLs, such as 'https://dafemum.ru/strik?utm_term=honda+harmony+1011+bagger+for+sale', suggest a phishing or credential harvesting attempt disguised as a product listing. Although no scripts were explicitly extracted, the PDF structure and embedded URIs are commonly used for initial access via spearphishing attachments.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=honda+harmony+1011+bagger+for+sale
    • http://dorulezebum.sportsontheweb.net/why_is_it_important_to_have_clear_goals.pdf
    • http://jiwapadenejeza.getenjoyment.net/vaxoxoke.pdf
    • http://dosijefa.mypressonline.com/lesaterumu.pdf
    • https://cdn.sqhk.co/zijopenuxafi/cxgiWgd/fubenatawisavubufus.pdf
    • https://cdn.sqhk.co/kofosenolo/ge3TEdM/suzebadazapuvak.pdf
    • http://tejasatobes.medianewsonline.com/echo_weed_eater_225_string_size.pdf
    • http://rujitexoxobag.mypressonline.com/mojave_road_guide.pdf
    • http://giwitap.getenjoyment.net/learning_english_speaking_books_free_download.pdf
    • http://vuxilenusip.mypressonline.com/3273872382.pdf
    • http://niwopofe.scienceontheweb.net/96504866921.pdf
    • https://cdn.sqhk.co/luwagoma/jjcOicm/jamman_stereo_looper_solo_xt.pdf
    • https://cdn.sqhk.co/xogodapap/3cpBJhc/regal_14_theater_grand_junction_co.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://4bf641bf-117a-4913-931f-55e49063997f.filesusr.com/ugd/5befcb_2e80b266903d4c5e96f42e805fb1c590.pdf?index=true
    • http://pefimubis.myartsonline.com/13160967284.pdf
    • https://0e75ab8e-f6a1-4360-bef2-1d94e06fde4e.filesusr.com/ugd/c0518c_ed31bcba31644853b419c55eec052d44.pdf?index=true
    • https://944bcc21-9f45-42c2-9889-8cf837fa5d1c.filesusr.com/ugd/50f869_274c72a4ffb34eb4b30b34d4297b9d31.pdf?index=true
    • http://ritabodaxitex.epizy.com/kidedabawirote.pdf
    • http://kubowulurarekij.myartsonline.com/3089148579.pdf
    • http://bumejefivoxigo.myartsonline.com/songs_mentioned_in_50_shades_of_grey_book.pdf
    • http://borovob.epizy.com/gitovedamosali.pdf
    • https://e691ad07-92dc-45fa-af10-8929b4045ede.filesusr.com/ugd/87b9a8_d90b8c1aba0e467d868f893fe5a00483.pdf?index=true
    • http://merapenerabari.myartsonline.com/materia_y_energia_definicion.pdf
    • http://zowofiz.myartsonline.com/learning_russian_textbook.pdf
    • https://0ac950e2-707a-4e47-8bf4-daface0ea9db.filesusr.com/ugd/356f11_244e483fc3a34de0b0c728d054c59934.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de98.bin
dce879c96e432c5c1d580cf69bfb8b265b1579bae78a519074e9664a064344fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE98 5376 bytes
font_01_sfnt_off0000f0b0.bin
d38d3ea84e8c3d57a38ed1ccab58b6abfba8aef7b18d2e414e14438a63c66b91		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0B0 10920 bytes
font_02_sfnt_off000115f0.bin
9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115F0 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.