Malicious PDF — malware analysis report

Static analysis result for SHA-256 7179b2753a3a9f6a…

MALICIOUS

PDF

87.5 KB Created: 2021-05-25 06:02:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f91bac9c282f6501c04e3fef3b5b234a SHA-1: 0a69b1d4ec11368de2c51009cbcf2789b14a0ad4 SHA-256: 7179b2753a3a9f6a4f50cc36249dddf1aa6d590b4c48eaaece6280543d3e0e93
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a link to an algorithmically-generated URL, which is a common tactic for phishing or malware distribution. The document body, though heavily obfuscated, contains references to "Dungeon Hunter 5 gems hack", suggesting a lure to trick users into downloading the malicious file. No scripts were extracted, but the presence of external links and the overall detection profile indicate a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/uplcv?utm_term=dungeon+hunter+5+gems+hack
    • http://atlantichomeportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/16077f2e95eb20---38942837909.pdf
    • https://bluebeakbranding.com/wp-content/plugins/super-forms/uploads/php/files/e732c56904dd9d5dcc0a7d99fc624661/jokonusazunuzagironeki.pdf
    • http://amandamaitland.com/images/file/savalajedaxof.pdf
    • http://ipvoicenj.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608532b9a8108---fizema.pdf
    • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606ceff13f03d---dinikazexiruvuzobisa.pdf
    • http://asbufestival.com/uploads/FCK_files/file/33181601973.pdf
    • http://arslanemlak.come/file/lolopivuxobuz.pdf
    • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/16071e70549e75---88681454656.pdf
    • https://trucraftsmanship.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091769235d0b---24563589221.pdf
    • https://www.justgym.co.za/wp-content/plugins/super-forms/uploads/php/files/339jv7r2cdukm78cmrd81nmfqs/magopedorodudajukopodefex.pdf
    • https://akproauto.com/nbloom/fckuploads/file/92490036010.pdf
    • http://taxicityplus.ru/userfiles/file/beruxom.pdf
    • https://www.hagensmarketing.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab8355a3c8d---95174856198.pdf
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/e3rpt972epgjqpau6o96hp3s93/79251533448.pdf
    • https://slavica.ru/wp-content/plugins/super-forms/uploads/php/files/204ebb4dfa49e3892a0baf182955c691/43226089775.pdf
    • http://xn----8sbpvg0afdbe.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/rgfeig3hebuv0u40tgq3e09395/12885953334.pdf
    • https://deedpoll.sg/wp-content/plugins/super-forms/uploads/php/files/b267db0181e959c6862017ec6d16d49c/39597008159.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011ca0.bin
e684daa354c72ba39e6dcc23ad7559e7b2aefdac7c7ac4d2305eb57b4e9ecdab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CA0 5368 bytes
font_01_sfnt_off00012ebb.bin
a7635a5ae2ef024d617d2cc5ac942e2126999fc07605f27bf2f4446689b1ff52		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EBB 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.