Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fe4f682d44b11cc…

MALICIOUS

PDF

346.1 KB Created: 2021-03-15 15:15:13 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e1ab724d3a3dba65d8254d6daa671061 SHA-1: de41fae53e8d89444f4311ed054695f0f6a3379f SHA-256: 6fe4f682d44b11cc989871de3fa9d5ed7bcc265ff46f5a4c2972069fcaf9bcf2
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document identified as malicious by ML classifiers and ClamAV. It contains an embedded URL that leads to a phishing lure, masquerading as an academic questionnaire to trick users into downloading further malware. The document body is heavily obfuscated, but the presence of the external URI and the ML classifier's high confidence score indicate a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9683

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=academic+performance+questionnaire+pdf
    • https://cdn.sqhk.co/zimidenex/gijija7/top_100_songs_of_the_70s_list.pdf
    • https://static.s123-cdn-static.com/uploads/4500679/normal_6007442bcb384.pdf
    • https://static.s123-cdn-static.com/uploads/4369922/normal_5ff974a74851d.pdf
    • https://cdn-cms.f-static.net/uploads/4449187/normal_60402859d1275.pdf
    • http://takovevagagiv.scienceontheweb.net/piwejizujolomidame.pdf
    • https://static.s123-cdn-static.com/uploads/4401555/normal_5fe5e2804a659.pdf
    • https://cdn.sqhk.co/zeboxuze/lDRwhjy/free_printable_3rd_grade_fractions_worksheets.pdf
    • https://cdn.sqhk.co/lotivadafe/hcaifgc/some_superhero_ringtones.pdf
    • https://cdn-cms.f-static.net/uploads/4417419/normal_5fe8c26ec9072.pdf
    • https://cdn-cms.f-static.net/uploads/4418167/normal_601816301ee5b.pdf
    • https://static.s123-cdn-static.com/uploads/4452863/normal_5fccb57410db9.pdf
    • https://cdn.sqhk.co/zuzipogowita/jibticB/59895563623.pdf
    • https://cdn-cms.f-static.net/uploads/4374704/normal_5fda06439cacf.pdf
    • https://cdn-cms.f-static.net/uploads/4383577/normal_5fd160397754f.pdf
    • https://cdn.sqhk.co/juzosugun/gjwgceG/17695068983.pdf
    • https://cdn-cms.f-static.net/uploads/4458631/normal_5fd89b73a1385.pdf
    • https://static.s123-cdn-static.com/uploads/4376374/normal_5ff17df1b630b.pdf
    • http://xufededubumavif.scienceontheweb.net/how_to_get_alexa_to_open_netflix_on_smart_tv.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8137cd1e-393d-4948-8193-eca935452849.filesusr.com/ugd/756799_26ec290250a644108d4ee7f02885374b.pdf?index=true
    • https://80172413-d145-4b71-b7cf-4a007d76ad29.filesusr.com/ugd/cacfd7_d9f69448832945b093b706654b2f785e.pdf?index=true
    • https://53ebb62d-ddaf-432f-8dc3-1f4746653467.filesusr.com/ugd/bbd3cf_8cf25d430c284d14a3e5b0333742cbd2.pdf?index=true
    • https://034618a9-9b39-4f41-ad18-95bca1d1c80b.filesusr.com/ugd/48d9a1_97fd74f5e2c84e808404f033d0ff5edf.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000506ab.bin
169f767a50ffb7a1696c0b100e4ec577c94c850274a71ca120a761bc1f5b7a85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x506AB 5384 bytes
font_01_sfnt_off000518e6.bin
4a28ee3ecd30931aaaf50206adf89695cf5a40c40f84c5f04bd25f36290abecd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x518E6 11980 bytes
font_02_sfnt_off000541d4.bin
04e99a91d2540df590e11a1437fd0f4bcd1d02fe5f8a454eb75df058f4e668e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x541D4 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.