Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a30eb2c53f9f10b…

MALICIOUS

PDF

176.8 KB Created: 2021-04-02 10:50:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2452dbf1d8144191543dfccf0568de75 SHA-1: 515b1388d659bb9512ac7ee6933e4cc1b5492ce4 SHA-256: 5a30eb2c53f9f10b76b2d399290069729cd161f8e3cfc14709a72f718b6758da
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'golowaki.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to a 'Dymo labelwriter 450 troubleshooting guide', aiming to trick users into visiting the external URL. No scripts were extracted, but the presence of external links in a malicious PDF strongly suggests it's used for initial access via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/123?utm_term=dymo+labelwriter+450+troubleshooting+guide
    • https://tugizikorosizo.weebly.com/uploads/1/3/4/5/134502987/vatozip_fimudo.pdf
    • http://kukushpa.fun/ap_psychology_textbook_free_onliney4f0f.pdf
    • http://kindraretterath.com/53103934646hr56u.pdf
    • http://wamipivifubape.sportsontheweb.net/kijifazeruxag.pdf
    • https://josabinisepev.weebly.com/uploads/1/3/1/4/131452942/422751.pdf
    • http://ridunculus.com/kovugutixosanimonubizidomrq0a5.pdf
    • http://trynon.xyz/downsizing_review_parents_guidembgwf.pdf
    • http://mudikovarew.mygamesonline.org/supporting_teaching_and_learning_in_schools_book.pdf
    • http://aicberg.net/aa_8th_step_worksheet0uv7y.pdf
    • http://idealica-official.website/834044133886e7by.pdf
    • http://itsnat.space/boxuxagurivezabegibavepd5kgk.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2110e2d6-0af4-4ff4-b9c7-5e25482944f9/31372188893.pdf
    • https://s3.amazonaws.com/kovilowab/lalaborogefuj.pdf
    • https://s3.amazonaws.com/vebenok/reportage_djihadiste_francais_la_part_du_monstre.pdf
    • https://s3.amazonaws.com/megelugik/merge_multiple_word_docs_to.pdf
    • https://uploads.strikinglycdn.com/files/2d4b62e7-9478-4d08-87ba-197f64cdea57/what_does_bbg_stand_for_kayla_itsines.pdf
    • https://uploads.strikinglycdn.com/files/927ed85e-faa3-4ce9-ae26-e54a63b70f8d/conviser_mini_review_california_2020.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec88.bin
c6a257332fca1dadf4fa8744bb0464b25f3e407896581ff8325de6f973c6b8fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC88 126356 bytes
font_01_sfnt_off000262f8.bin
404663194b7c22a214212bdb61eac1a4cd696939a2e2d3e6ca14fb33ee30b6eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x262F8 5928 bytes
font_02_sfnt_off00027718.bin
273a08d22226020fc1003054526a238a0bc25107c0385f391708bc8433079f9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27718 11016 bytes
font_03_sfnt_off00029d21.bin
f30dee97049be9486f88286cd27f440b23a478558c7e67267c2f80a8fc0e6b57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29D21 16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.