Malicious PDF — malware analysis report

Static analysis result for SHA-256 4dac30ebb9b72dcc…

MALICIOUS

PDF

201.6 KB Created: 2021-03-16 20:23:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d16dc01f572f087523a5c6e26d41d1a5 SHA-1: e94110321f36225396f253f9180241c3ccca5137 SHA-256: 4dac30ebb9b72dcc8f0e91484f8205bca6417c32f12b204ae0cd8cfee44dae01
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document identified as malicious by ClamAV and an ML classifier. It contains an embedded URL pointing to 'golowaki.ru', which is likely used for phishing or to download a secondary payload. The document body, though heavily obfuscated, suggests a lure related to 'in text citation worksheet answers'. No scripts were extracted, but the PDF structure and embedded URL are strong indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9894

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=in+text+citation+worksheet+answers
    • http://xixapewazawa.22web.org/kitodixilofenenokalavot.pdf
    • http://dusexixegiseves.iblogger.org/vopewinoxupowo.pdf
    • http://jorowijedo.mywebcommunity.org/cbc_test_report_sample.pdf
    • http://nakaxovatixokew.22web.org/hollow_wood_surfboard_templates.pdf
    • http://mudixefibewab.mywebcommunity.org/i_want_to_learn_arabic_language_through_english.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://retugizi.rf.gd/36621012427.pdf
    • http://butokerisutu.epizy.com/kibamuzebiwibajetipan.pdf
    • http://jabaxuzadowepep.rf.gd/95162403559.pdf
    • http://jinesiwi.epizy.com/xefulaxer.pdf
    • https://uploads.strikinglycdn.com/files/9475b3c7-4319-4113-be31-b4deb2df3bf8/11738143717.pdf
    • http://vizulubafaxal.epizy.com/kokawuletopunen.pdf
    • https://882e4f53-a7e1-4d4a-89e8-a6e6d9f9b805.filesusr.com/ugd/9a13d2_6912c315aac74e3eb6a7173b88ae0fd6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/176dfcbd-d7c8-4dc7-9010-36263930ee46/xagiw.pdf
    • https://s3.amazonaws.com/ligole/61425996778.pdf
    • https://uploads.strikinglycdn.com/files/67abb87f-8dba-4ff7-b761-173eddcd16e1/distributed_systems_book_download.pdf
    • https://1a9cd40a-f0d6-44d4-a143-19288280ca2b.filesusr.com/ugd/7a13df_d0a92ca564804d758fa9cb6676ffafbe.pdf?index=true
    • https://1682489e-d94b-4f22-b6a6-c8ecb623ca2e.filesusr.com/ugd/5f226e_52b3845907e2442dbfae68e04be71e54.pdf?index=true
    • https://s3.amazonaws.com/vavabi/48873875579.pdf
    • https://s3.amazonaws.com/warapagefasovi/cursos_alura_mega.pdf
    • https://uploads.strikinglycdn.com/files/999ae8fa-4544-4906-84b5-447de40be6f5/9100646642.pdf
    • https://s3.amazonaws.com/jupudizadid/create_list_of_sheets_vba.pdf
    • http://sarutufasiko.atwebpages.com/viipuri_library_alvar_aalto.pdf
    • http://vagelebab.rf.gd/answered_prayer_gospel_group.pdf
    • https://59e5a08b-0d8d-455f-a3a7-35a3b781ab3e.filesusr.com/ugd/784815_1a9d45c88a6f40db8ccb0f060bfef9c8.pdf?index=true
    • http://vedezanopade.epizy.com/how_to_write_a_motivational_speech_for_employees.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000108eb.bin
bcfdd0257ceb9c185a26d9b43a9098f6e323029e8fa524d449e25aca8b59120d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108EB 161132 bytes
font_01_sfnt_off0002e23e.bin
a4ae09b6783db4d8cf9f942933074452bdc1592c3fe98565bc45d092dcc03abd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E23E 5016 bytes
font_02_sfnt_off0002f363.bin
78491984a6d6c7e8ff331604a52eec0157c33780fa355af9efd61c8be073dd70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F363 10776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.