Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ad81a05efa2d287…

MALICIOUS

PDF

70.0 KB Created: 2021-03-10 12:09:17 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d9ddfd2d6b80446b03c9eb627a8f0a59 SHA-1: 2b3686b9ad223cd548314d831989c06d951d0703 SHA-256: 4ad81a05efa2d287c4733e75017ecb4fd5c9b9dc591ac2fd25c810cf82b17694
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. It contains an embedded URL pointing to 'golowaki.ru', which is likely part of a phishing or malware distribution scheme. The document body is heavily obfuscated, but the presence of the URL and the heuristic firings strongly suggest a malicious intent to redirect the user to a compromised or malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=play+store+app+online+games
    • https://static.s123-cdn-static.com/uploads/4447097/normal_6003e1e624519.pdf
    • https://static.s123-cdn-static.com/uploads/4413977/normal_5fe6011f5bd6b.pdf
    • https://cdn-cms.f-static.net/uploads/4366308/normal_603ec75b84721.pdf
    • http://nigoguno.scienceontheweb.net/craftsman_edger_blade_9_inch.pdf
    • http://spacexfoundation.net/harman_pellet_stove_cleaning_brushtlhyd.pdf
    • https://static.s123-cdn-static.com/uploads/4365635/normal_5fc9e982cae93.pdf
    • http://gromstroy.com/22905122928947sr.pdf
    • https://cdn-cms.f-static.net/uploads/4389581/normal_60345bea4df61.pdf
    • http://desokore.medianewsonline.com/19371752210.pdf
    • http://mevukavotidu.getenjoyment.net/why_is_my_keyboard_not_working_on_minecraft_ps4.pdf
    • https://cdn-cms.f-static.net/uploads/4374983/normal_6036966f2cbea.pdf
    • https://static.s123-cdn-static.com/uploads/4460045/normal_5feb9935cd223.pdf
    • https://cdn-cms.f-static.net/uploads/4426410/normal_5fd9678533d02.pdf
    • https://static.s123-cdn-static.com/uploads/4453914/normal_5fcf06745ce4c.pdf
    • http://xomunuxeju.sportsontheweb.net/plantronics_backbeat_pro_5100_vs_galaxy_buds_plus.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://11f44e1d-c86f-4be6-baa1-90970e7c24f5.filesusr.com/ugd/a298ce_87bc91aea7c24ad19b4c69060f550e5c.pdf?index=true
    • https://e4034479-4ead-418b-af8c-5be8dc72bdbe.filesusr.com/ugd/1e8759_a248c5ba594142abae026326f157b3d5.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0b8a1e92-84d6-49c5-a350-61bcc1078c55/what_are_pituitary_gland_disorders.pdf
    • https://c183b790-cb34-49aa-848e-1a9f2b14dda3.filesusr.com/ugd/d8966e_53629f56f9434a739d87b3f29f1bbb6c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/87efebeb-bbab-4af0-93f8-5d4a0f3ce35c/emily_dickinson_poem_hope_summary.pdf
    • https://uploads.strikinglycdn.com/files/6def3042-63f0-4db9-a285-d9224c86e5ae/xovozevevivimewodi.pdf
    • https://uploads.strikinglycdn.com/files/a1b94beb-0332-4205-8ad1-61794a7430df/lenovo_t420_flash_bios.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ca1d.bin
df4cbf12e52d4af04467a4368c7f77ca50e2090d66507a02ac13348eabd5f7e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCA1D 5032 bytes
font_01_sfnt_off0000db23.bin
7401664e1c96326f97fedda477a3158dcb826c74a65174be0ab344e1f97ce0c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB23 9820 bytes
font_02_sfnt_off0000fcb9.bin
a542ec26cea93e049a2e27cd59b1347dd9bbdea13775fd7b822b3c2b3136116f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCB9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.