Malicious PDF — malware analysis report

Static analysis result for SHA-256 560c612e11eca2b5…

MALICIOUS

PDF

78.6 KB Created: 2021-04-08 01:59:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-25
MD5: 512105752746aa4c9f169344270a6e57 SHA-1: 24e3792c0cefcbe00805a82a7c684034d8a64eb4 SHA-256: 560c612e11eca2b5bb1d487024ffedea3ef22af86969f864d364c5b162795928
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The embedded URL, https://dugedepap.ru/strik?utm_term=netgear+wnr1000+speed, is the primary indicator of a phishing or credential harvesting attempt. While no scripts were explicitly extracted, the PDF structure and embedded URI heuristic suggest it's designed to redirect the user to a malicious site, likely as part of a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=netgear+wnr1000+speed PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4391898/normal_60253c529b5d6.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4448733/normal_6050498bc3c91.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4485946/normal_5fd380d9451e4.pdfIn PDF document text
    • http://xevedudox.sportsontheweb.net/accounting_standards_free_download.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4468820/normal_6057090a23b3a.pdfIn PDF document text
    • https://cdn.sqhk.co/xotosira/ejbTUn5/16006508039.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4481831/normal_6011f5863039b.pdfIn PDF document text
    • https://cdn.sqhk.co/buvaboda/didcjhn/trucker_joe_diamonds_code.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/00c002fd-9edb-43f9-81e9-1023da9e8fb1/7616244094.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d9b31bc5-2de2-44be-b22a-fbbc8ac9208f/golfer_paige_spiranac_net_worth.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4233039d-a79f-44e4-abd3-71f4153ea007/54052973531.pdfIn PDF document text
    • http://wupidusujimi.myartsonline.com/concierto_de_aranjuez_trumpet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa88f82c-cf58-4d79-a88e-81be87b1e81a/how_to_correct_english_grammar_online.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/fe780728-5757-41e2-816c-d95029e9ed4b/82534420826.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1f1c7f73-423c-4800-b86a-7856ceaae4d0/how_popular_is_newsmax.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/967a40d2-69d7-4ed0-af2b-431355487d40/my_brighthouse_remote_not_working.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8538c46c-744d-46c9-a0fe-8005c2e73905/2016_honda_trx_500_service_manual_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c43d20cb-8d76-4b81-ae78-7df004122791/27338252568.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/41bb5452-cd2a-4f50-aee0-720d842d7967/16172143675.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f54a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF54A 5348 bytes
SHA-256: f27250fa62b3bb1309e4d13dacf60e85cd6e4b2c67ab1c3e2726964b306a9cb9
font_01_sfnt_off000107a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x107A4 11004 bytes
SHA-256: a51d1ec817a9cecade6776eeb09bee0383d41030149d2225ad41733d92ba6290

Open this report in the interactive analyzer, or submit your own file for analysis.