Malicious PDF — malware analysis report

Static analysis result for SHA-256 50c694ebed105644…

MALICIOUS

PDF

82.3 KB Created: 2021-07-21 18:31:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 1d1fc6557831f67f2db5edf799eb550f SHA-1: 34b54d012143ebd2a6f7be9bf214cb7ad4eae62e SHA-256: 50c694ebed1056445752bf7c296e0e694d4e1cb5451d944b8034c5ec8613afe8
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URI pointing to 'catamma.ru', which is highly suspicious. Although no scripts were extracted, the presence of the malicious URL strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/square?utm_term=citizen+by+registration
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60ec95af934d360eb289ed40/1626117551136/direct_and_indirect_speech_translator.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f704272251ab000acdb1ce/1626801191392/8410549988.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60f1e9932afbb3684ef98cd7/1626466708038/a_button_on_switch_not_working.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ed5017094bb21e999361a7/1626165271675/education_for_democracy.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ee33790981f36585a15b5c/1626223481703/can_birds_eat_unpopped_popcorn.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60e7a25e25441e1b3782cc98/1625793118560/xizapi.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ecad195b92cb3d5f9e29a3/1626123545618/36216967847.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f710db081db7727dabc579/1626804443352/seafood_tumpah_crabby_party.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ec90aac32416487af0861d/1626116266797/karma_thoughts_in_english.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60e940dae6bd1231e608f495/1625899226376/gadalifagozalu.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f60bd6a90f463f504035ec/1626737623012/sioux_indians_today.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60eca97c7b14134336e0561f/1626122620980/lab_report_example_engineering.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f6c04fe937b46fbd208e32/1626783823664/94689482568.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f450755f13a15bd8288131/1626624117415/seven_deadly_sins_the_movie_prisoners_of_the_sky.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60e912642dabf2723553be5c/1625887332459/what_is_the_sin_of_pride.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f538836d5e991e36f6bcef/1626683523202/star_wars_combat_forms.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f136b25422dc4ac5c6a43d/1626420914237/how_to_tame_a_pteranodon.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ec857c700aa07a78952369/1626113404666/if_im_52_what_year_was_i_born.pdf
    • https://static1.squarespace.com/static/60bf6bff0d8d387fecc8b153/t/60f81d3f28ef38068408f065/1626873151364/rolug.pdf
    • https://static1.squarespace.com/static/60bf69b23f3791685666e32d/t/60ee0e7f115d504d3a82a91d/1626214015604/rap_songs_about_being_yourself.pdf
    • https://static1.squarespace.com/static/60aac5994c6b1805bc4acbdb/t/60ecf3263489b768f16aa990/1626141478806/57097336387.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd79.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD79 16792 bytes
font_01_sfnt_off0000f590.bin
e426e8b022befd2d64f8b7832b43750cf25b4b2c4a3efbf822c59840d7f4df0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF590 10580 bytes
font_02_sfnt_off00010df6.bin
7d979df187a99192477b0856928ea0d841fd78778c7d1b9d69501a93fb360edc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DF6 16716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.