Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f2e83b7a57aebf1…

MALICIOUS

PDF

79.6 KB Created: 2021-03-12 06:05:49 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be0ea56f19f9de5077e120bc6d49e8d4 SHA-1: d4ee5016ed20b5714391d9a179abda741f6a7de7 SHA-256: 5f2e83b7a57aebf1e41c9161a623b51a0b2768aa0009c9e93c579696cc7c1060
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains an embedded URL. The ML classifier and ClamAV detection strongly indicate maliciousness. The embedded URL, 'https://dugedepap.ru/wix?keyword=sadlier+oxford+vocabulary+workshop+level+e+unit+10+answers', is likely part of a phishing or scam campaign, attempting to trick users into visiting a malicious site by appearing as a search result for educational content. No scripts were extracted, but the PDF structure and URL are sufficient indicators.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/wix?keyword=sadlier+oxford+vocabulary+workshop+level+e+unit+10+answers
    • https://cdn.sqhk.co/fuxiwimemo/Vgihxsu/playstation_network_login_issues.pdf
    • https://cdn.sqhk.co/fazejitev/ajcjh6c/fisusodupatof.pdf
    • https://cdn.sqhk.co/temirikuji/shgzjbW/guns_of_glory_gift_codes_april_2020.pdf
    • https://cdn.sqhk.co/zezoxomop/SjhcUbD/bubble_guppies_the_new_year_s_dragon_dailymotion.pdf
    • http://pubifuse.iblogger.org/full_bible_timeline.pdf
    • https://cdn.sqhk.co/doparibi/RDNziiT/15254125761.pdf
    • https://cdn.sqhk.co/pizokifuxe/ieTBQOF/prepper_food_companies.pdf
    • https://cdn.sqhk.co/senuziker/fhjvjcX/bcycle_madison_login.pdf
    • https://cdn.sqhk.co/girewobo/hav0jhM/being_together_meaning.pdf
    • https://cdn.sqhk.co/sibamoxa/Uzo73ji/legend_of_swordsman_cultivation_ranks.pdf
    • https://cdn.sqhk.co/nilofixogezu/cXieNDH/firoviji.pdf
    • https://cdn.sqhk.co/kifateten/C0niiOC/boone_umc_facebook.pdf
    • https://cdn.sqhk.co/figesuweno/j6Uieif/jarerulanixobadejofaru.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/aed0bd6f-d68b-4178-ac6a-4ec548b5910a/dyson_dc44_animal_stopped_working.pdf
    • https://uploads.strikinglycdn.com/files/43a5b035-18b0-4e6a-95be-7461a0c2231e/python_list_function_sort.pdf
    • http://vikenigekewojo.epizy.com/zutadokapuvekuzatutek.pdf
    • http://vudunebavibag.epizy.com/wugokosivatigu.pdf
    • https://uploads.strikinglycdn.com/files/2ce34380-5799-49c4-a52b-f2234dc7859e/how_can_you_tell_if_alternator_is_going_out.pdf
    • https://uploads.strikinglycdn.com/files/e0eb37a6-5a2b-4d79-8cb5-6a2036f73389/pemodawobinovunu.pdf
    • http://dovabaz.epizy.com/welizesomilet.pdf
    • http://rolefig.rf.gd/ruditufebebapadogetapon.pdf
    • https://uploads.strikinglycdn.com/files/8fbb7290-f90f-4a3c-9132-f1616cdd7bc8/sat_math_practice_questions_and_answers.pdf
    • http://zedotedifajo.epizy.com/jerasamenewumis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f7fb.bin
a8e8b256f03c27d51dcad88f668da5ad369dce72f43114282f33b137ba529574		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF7FB 6064 bytes
font_01_sfnt_off00010cba.bin
38575f85d4720fb67cbc316366e6e40e770d9aec9fefc036420ca21118ecd317		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CBA 10560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.