Malicious PDF — malware analysis report

Static analysis result for SHA-256 577bc577dd535c7a…

MALICIOUS

PDF

204.2 KB Created: 2021-04-09 07:08:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a9ab78439fa1674afcc976999df219c SHA-1: 6de816603d3614bd5d6f8ff208a1245fa963aa97 SHA-256: 577bc577dd535c7ad5a1dc098cc33fb156a5fc87fa62b2d44505d54ef061ad54
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a critical detection score. It contains an embedded URI pointing to a suspicious domain, likely intended to redirect the user to a malicious site. The document body, though heavily obfuscated, suggests a lure related to a chapter summary, consistent with phishing or malware delivery tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9710

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=the+wretched+of+the+earth+chapter+3+summary
    • http://betmoy56.com/31535632859qbci7.pdf
    • http://evromotors.net/ruzopemugimerofu1fhjh.pdf
    • https://cdn.sqhk.co/zalivelo/icjbuhj/skinstore._com_customer_service_phone.pdf
    • https://cdn.sqhk.co/sunomedude/NiagJTt/dhoom_3_full_movie_online_hotstar_telugu.pdf
    • https://cdn.sqhk.co/libobivole/ihXJVib/94392111079.pdf
    • http://navulikikevu.iblogger.org/metastase_ossea_cancer_de_prostata.pdf
    • https://cdn.sqhk.co/mitejapeki/jeciiac/cartoon_network_apple_and_onion.pdf
    • https://cdn.sqhk.co/gejixoneku/3hiW99m/zobakewewofavutirevukira.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • https://uploads.strikinglycdn.com/files/f6272b7e-2ca1-472c-96fa-89e4800e561a/pizowedunanisuxigomekefi.pdf
    • https://1a441fb4-51dd-4528-a053-eb59ff664e18.filesusr.com/ugd/43d9d5_25ef78db683341c29837cfb776496cd6.pdf?index=true
    • https://uploads.strikinglycdn.com/files/cd9f5741-2150-4676-90bf-226f901fefda/common_core_sheets_dividing_unit_fractions.pdf
    • https://13a7c488-548c-4b48-b567-d2b0b9a3e1de.filesusr.com/ugd/85d67f_760985758aaf445caf854f9af395071a.pdf?index=true
    • https://uploads.strikinglycdn.com/files/4f567c12-d693-4811-bbd7-05beb6598783/37213501364.pdf
    • http://piveduto.rf.gd/96245874810.pdf
    • https://uploads.strikinglycdn.com/files/5145efab-5908-49f7-8b0c-d5fa9e1e6e17/basic_math_word_problems.pdf
    • http://rerorisa.epizy.com/83591935888.pdf
    • https://uploads.strikinglycdn.com/files/976bcbf0-cdba-41ac-819f-4047300fe11d/21594776185.pdf
    • http://bituwevemexeku.rf.gd/infusion_nurses_society_standards_of_practice.pdf
    • https://uploads.strikinglycdn.com/files/2490ba67-b087-4067-928c-4a7c161e5e1e/82356161726.pdf
    • https://uploads.strikinglycdn.com/files/65a9366d-39db-4b85-95b5-e050f4374c01/does_xfinity_have_a_wireless_tv_box.pdf
    • https://198ac300-f2de-41a8-aaa9-2df0d2bfefbb.filesusr.com/ugd/232b71_a2a6c972c7814a73ab7152b35463ba6f.pdf?index=true
    • https://f7690f66-1871-4559-97e0-239dee5b15da.filesusr.com/ugd/d2cc1f_ae3fc345b42d4ddcbff2f0eee9daf078.pdf?index=true
    • https://uploads.strikinglycdn.com/files/f355a95a-fce0-4d88-9647-11af21b946f4/beste_samsung_telefoons.pdf
    • https://uploads.strikinglycdn.com/files/7677e27f-2223-4a5b-b7a8-3e5388ac9388/pojekegipumifuw.pdf
    • https://uploads.strikinglycdn.com/files/f9b60b39-f45b-4171-9fee-fc3827473967/how_to_prepare_kcl_solution.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002dc4b.bin
b7cf9d9e53c1f51878b1abb7a6c3b11cf47f1fce771123265b12b6346a5e1e12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DC4B 5396 bytes
font_01_sfnt_off0002eebb.bin
ff77dc4ae8ee92ef00699c161433b81d62fa665ea32e39fc7ed6fc71b333700c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EEBB 11492 bytes
font_02_sfnt_off0003146d.bin
b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3146D 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.