Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b3c3dbcc3cd2d0e…

MALICIOUS

PDF

165.3 KB Created: 2021-03-15 09:01:32 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3728f5483f6a5377bb738c740bded47b SHA-1: cab285774051f2fed01db1b4a32c555c8717f795 SHA-256: 5b3c3dbcc3cd2d0e16f4cad29165311521045e5cd18d7e4656e863ba00e9b9c5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'dugedepap.ru', which is likely a phishing or malware distribution site. The document body, though partially obfuscated, suggests a lure related to 'applying psychoanalytic theory to literature examples', a common tactic to disguise malicious content. No scripts were extracted, but the presence of external URLs strongly suggests the PDF is designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/wix?keyword=applying+psychoanalytic+theory+to+literature+examples
    • https://cdn.sqhk.co/ronofumito/Uijggjf/play_mutant_fridge_mayhem_gumball_game_online.pdf
    • https://cdn.sqhk.co/bumegukomuza/heheclE/samsung_health_calories_burned_too_low.pdf
    • https://cdn.sqhk.co/goxupolofodi/shbEEhj/jedukora.pdf
    • https://cdn.sqhk.co/sepagumal/cEihbgh/world_adventures_sims_3_free_download.pdf
    • https://cdn.sqhk.co/mokopizel/jsMLTs2/corrosive_ingestion_guideline.pdf
    • https://cdn.sqhk.co/dosapupa/hjg8ghi/xegegukuxogo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/makumapikeze/mizigavovojixorepofepuk.pdf
    • https://de99934f-f465-4d69-af5e-14f317c0a7c6.filesusr.com/ugd/4fea5c_1cd2abb5a4554053acff93d900398bb8.pdf?index=true
    • https://5e0c4d4d-41f9-428c-9564-b93e7cff6769.filesusr.com/ugd/510691_3d9cd57c7ca948eca0f7aef986c54d58.pdf?index=true
    • https://c0cead0d-5248-483d-940e-95cc3acd9bde.filesusr.com/ugd/20d83a_5c60ced99b3a42c09bfe88a369e8bb66.pdf?index=true
    • https://4b67404f-136a-46a0-9cf3-151f2d38faab.filesusr.com/ugd/241fd5_49070c7025604cbca3394869e86bbe4a.pdf?index=true
    • https://fc06435f-e709-4c80-b59d-96fa470c1a13.filesusr.com/ugd/bdc04d_73def0ee7eee416f9a02050f0bc85c5d.pdf?index=true
    • https://s3.amazonaws.com/dedinavesute/symbolic_meaning_of_red_in_the_bible.pdf
    • https://4adff18d-dc39-4349-be2c-eeb12737f1cb.filesusr.com/ugd/9117e0_e971a162ff1b482ab0dc52b22b927cd6.pdf?index=true
    • https://s3.amazonaws.com/lanorolowu/tinelof.pdf
    • https://5090c2af-253d-40c3-bfb7-942fc6db26b0.filesusr.com/ugd/0511f5_29ecad907c6b4e6e9034ed1c8d93f29b.pdf?index=true
    • https://s3.amazonaws.com/ratixifo/48246840298.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023480.bin
c716bb8e83214c5702ae68be7937909a9cbfa90e793636a4cece229a05cbd152		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23480 5504 bytes
font_01_sfnt_off00024725.bin
dc3c18ab6aed593e582f18fee440268e3703424b8a0f0956198c7ebf45cd8cba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24725 12184 bytes
font_02_sfnt_off00026f42.bin
a1d034c4899da820a17195885c2d76cd6be3fce17d3f1660d9b3805b34643d2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26F42 16272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.