Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ae77079d1707809…

MALICIOUS

PDF

82.9 KB Created: 2021-03-24 09:41:45 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 55953d45e491a7636a25e32a7d1ef1ad SHA-1: e1f7f2a81240b3ca8f949dd238ddead63cfc4c8b SHA-256: 4ae77079d17078098edbdf3207d5f8dea90e3327e2fb5830400fa6ef2f47ada8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URL pointing to 'golowaki.ru', which is likely the primary distribution point for a malicious payload or phishing page. The document body, though partially garbled, suggests a lure related to 'Antologia poetica para niños pdf'. No scripts were extracted, but the PDF structure and URL are strong indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=antologia+poetica+para+ni%25C3%25B1os+pdf
    • https://cdn.sqhk.co/nipigagavadu/3crhhiH/akinator_full_apk_download.pdf
    • https://cdn-cms.f-static.net/uploads/4370777/normal_600fe77dd92b6.pdf
    • https://static.s123-cdn-static.com/uploads/4384836/normal_5fe570d369571.pdf
    • https://nobawevedidilut.weebly.com/uploads/1/3/1/3/131379382/fuvirexatizizuluxuz.pdf
    • https://cdn.sqhk.co/tajugajobib/x5uhiJa/ladewunilimatadex.pdf
    • https://cdn-cms.f-static.net/uploads/4409113/normal_6032b9e70ec1e.pdf
    • https://xigujevaw.weebly.com/uploads/1/3/4/7/134701692/f37be638c.pdf
    • https://rimofemosi.weebly.com/uploads/1/3/4/3/134351632/cb9512742a8f.pdf
    • https://static.s123-cdn-static.com/uploads/4403129/normal_5feff7c095279.pdf
    • https://static.s123-cdn-static.com/uploads/4484370/normal_5fd053785a24e.pdf
    • https://cdn.sqhk.co/bemememu/hY2iepa/d-_day_movies_on_netflix.pdf
    • http://zobebukore.22web.org/avatar_the_last_airbender_comics.pdf
    • https://cdn.sqhk.co/fujonexa/gciadgj/bonsai_survival_manual.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a6fdc574-2520-4637-9824-5c819f7b4c5b/9252207227.pdf
    • http://pedorusare.epizy.com/alive_and_kicking_documentary.pdf
    • https://uploads.strikinglycdn.com/files/d9b31bc5-2de2-44be-b22a-fbbc8ac9208f/golfer_paige_spiranac_net_worth.pdf
    • https://8a89c5bc-485b-4808-980c-66c60e8d9908.filesusr.com/ugd/834936_00fba9dcc58e4af3b12ad8884a39bc5b.pdf?index=true
    • https://e0220c8c-c322-4c33-af83-7c5b0fe00b66.filesusr.com/ugd/a771bd_78cba73060d74e45bf6df7f90dde7baa.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a157faef-7309-4f32-b850-54cffd412836/66196510797.pdf
    • https://uploads.strikinglycdn.com/files/0db06cf2-cfae-49ec-af40-279ca3620baf/low_fodmap_food_list_printable.pdf
    • https://uploads.strikinglycdn.com/files/4b5101d9-c64e-469e-91d8-372fdb2bb89c/boy_scout_manual_download.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010335.bin
d6733c5b831c9eacd6c834e36ccbba55095a3ff630691e8092fec2a0d0e18643		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10335 5524 bytes
font_01_sfnt_off000115cf.bin
c811a9c2c108c3faef10b77ee37c985933adb270d383ff63573b8293673ccb21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115CF 12128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.