Malicious PDF — malware analysis report

Static analysis result for SHA-256 573a4de07e399003…

MALICIOUS

PDF

78.5 KB Created: 2021-03-29 06:34:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 25a712e536f97a2637197e8872cb1b02 SHA-1: d2f7a8a5acbd718880bfa40b335252174342e70d SHA-256: 573a4de07e3990033a1a8775f20f6e6e21ccc7d60d503f6557c16950617a06e0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. An external URI pointing to 'https://dafemum.ru/123?utm_term=jai+bajrangbali+song++pagalworld' was extracted, suggesting the document's purpose is to redirect users to a potentially harmful site. The document body, though heavily obfuscated, contains metadata related to wkhtmltopdf, which can be used to generate PDFs from web content, further supporting the idea of a web-based lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=jai+bajrangbali+song++pagalworld
    • http://voyazh-shina.com/peavey_vypyr_vip_2_loopkf11i.pdf
    • http://jiteruruw.sportsontheweb.net/4031848305.pdf
    • http://rte-ita.fun/39487314213sccci.pdf
    • http://blekrossi.ru/what_to_eat_for_good_brain_development_during_pregnancyhz0js.pdf
    • http://streamsweets.com/jowutinowomkor5j.pdf
    • http://extrameets.fun/oracle_sql_select_date_without_timezndrm.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://derijumofode.rf.gd/fesigamijidometokidif.pdf
    • https://02e0da19-eac5-4521-950b-4e410541bf1c.filesusr.com/ugd/516249_30510b07abe54feeacc9cb17525ec671.pdf?index=true
    • https://0e01c86c-6ad9-43de-bc04-b8819f410213.filesusr.com/ugd/73c254_7f248b47bc674d8b98489b1e80de178c.pdf?index=true
    • http://wowesuwufurofak.rf.gd/mastering_metrics_angrist.pdf
    • https://uploads.strikinglycdn.com/files/27f3e163-53a4-46aa-ab6d-4522f06a59dc/good_quotes_from_le_petit_prince.pdf
    • http://nojajaraxekexip.epizy.com/ps4_gold_headset_usb_not_working.pdf
    • https://a35aa970-3e4e-4c20-be1f-53d10001bce9.filesusr.com/ugd/af4e73_b7fd9f33d2714a208d7b5d4ff7eb5e6f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/1b5f57ae-3118-49cf-9f52-4a1650d0a24f/machine_learning_algorithms_for_disease_prediction.pdf
    • https://a82c121c-2200-4cd7-aff6-47cf910fdadb.filesusr.com/ugd/117c17_80cb5a5867f44bac961218d15961ed8c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/6ec72a0a-359a-4cbf-899a-44b9aaafca1a/53594033459.pdf
    • https://uploads.strikinglycdn.com/files/625b41b9-51a9-49c0-89af-65aacf9fc637/zenenugigapukofeni.pdf
    • https://1a447ccf-a6a5-490c-ad31-399ae8169532.filesusr.com/ugd/cf5184_56adb8ef468f42718ca85d2332aad8dc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/30743e27-dde7-4e03-93a0-7fbdc266b4e8/legal_aspects_of_film_production.pdf
    • http://bokawevetejap.atwebpages.com/1905463150.pdf
    • http://lefajiw.epizy.com/34186803654.pdf
    • http://voledudetalobu.rf.gd/marvel_comics_stock_market.pdf
    • https://uploads.strikinglycdn.com/files/31c24133-2599-49d8-940d-9934f9dc849a/86439120661.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea0d.bin
e211f2d6e0d1bf1fd17bd5150bc2724fb7c0f1d37b1c69b855d9dcad8de34ab0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA0D 2952 bytes
font_01_sfnt_off0000f49b.bin
388a6a3bb7b3092bdf63c262353898fdd8aad97fb25b8d9cab889fd9e1f1de64		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF49B 5424 bytes
font_02_sfnt_off0001072a.bin
9573f0a7b190378bed7f51aa364e3d5e77579774bc24f3d361c3f7b220ff3acc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1072A 11192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.