Malicious PDF — malware analysis report

Static analysis result for SHA-256 7cc4f6a3d27c245b…

MALICIOUS

PDF

88.2 KB Created: 2021-05-27 12:07:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-23
MD5: 5d70f095f3f1e60e5880504b2fd193de SHA-1: e6c86603b9f0f2783e875403251ba31379f9d651 SHA-256: 7cc4f6a3d27c245b6d1684bbb7b8e3795cccc40e3417c6940edda1a67a0846ba
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, indicating a phishing or trojan threat. The presence of an external URI pointing to 'dugedepap.ru' suggests an attempt to redirect the user to a malicious site, likely for downloading further payloads or phishing for credentials. The heuristic 'SE_URGENCY_LURE' further supports a social engineering attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9925

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/strik?utm_term=bigo+live+free+diamond+apk PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/2e63b74f-597f-4c08-8cde-fe6dbac4bb2f/38609834905.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9de16180-2418-4cc7-938c-8e044bb66dd1/tuvidovefivumixil.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c950d4a4-4bc7-48b1-922c-6a7b10164e4c/lg_g2_32gb_caracteristicas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2a730f40-690a-48ea-9389-6f1b13b0a9d9/40636542754.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/79c03601-ee76-458c-b561-3b25b898d914/ap_english_language_and_composition_exam_2020_coronavirus.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ee2451a-916b-4e23-8d9d-ae71cbf9e953/gunetokepivoje.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/002d2a46-fe07-4a9a-894d-c83c3a29daab/blender_character_modeling_tutorial_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d5897971-545e-4b20-8742-bc3f270433ae/dekepowubasotopaket.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/caae94cd-fb5d-49f9-9854-2bc3c372f043/mitosis_of_an_animal_cell_worksheet_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/20ee68df-6d26-4e76-89dd-d71eee65ee0f/how_to_use_ps3_controller_on_pc_rocket_league.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/683cf5e4-1fee-43b6-aea1-8f08ef3e2d20/95075631573.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b100909e-2cf0-42a4-9499-c6fd50105a5b/vawupejub.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/f5f41e67-350e-40d1-8528-ba1ae240d636/10225153433.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/e3254500-2e2b-4cae-a179-702aab59da4a/how_to_draw_manga_basics_and_beyond_free_download.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5638fcac-fa48-4025-8bda-ad9f81408876/macbeth_and_son_book_cover.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/61821804-b5c0-40d4-8ac1-7220f2474afb/how_to_turn_on_logitech_wireless_keyboard_k380.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/64379c07-4280-4787-9612-b467bf583eae/fallout_4_new_vegas_release_date_ps4.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9b8e01ca-2944-491e-9895-46078e9fe0f6/xigolixilogajusopa.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b16a43b1-e7ad-4aca-80d4-ab722e379d20/4081858435.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/df208532-7b1e-4087-87a1-2927b59f5de5/88166838379.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0119f8b5-9162-44bd-bffe-26e965897422/basic_mathematics_uon.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ec08ccec-3318-46e0-b17d-489e126759c8/62986935922.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b3d198c0-6055-4799-a4d9-fc6041f17dd6/74160427499.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/baf8cfc3-9034-40b6-bad8-b4e0fcfaf7db/huckleberry_finn_chapter_1-14_summary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/50391b36-972f-4019-a661-3879dd37e6af/myers_briggs_types_chart.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1101c22d-9b28-4d38-9834-4617f3d42a8c/rich_people_problems_movie.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff67.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF67 6440 bytes
SHA-256: a606a6dede3b99472d2ac97761204782646b5f75106b48d1abccbe9a99ca9a4c
font_01_sfnt_off00010f5b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F5B 5356 bytes
SHA-256: feb9240af4c641d3739ad3e39fc3b4a2a997be15b375d68461c5de1fc37b7154
font_02_sfnt_off00012185.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12185 1936 bytes
SHA-256: cf50d13c5c21d2e34fba0d9dd21119d4839fc35fdaebfe62cbacf51850cc328d
font_03_sfnt_off00012ac4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12AC4 11552 bytes
SHA-256: 7b4240c9d7bbcf45be81fc8d6b5957721e70c2e6ff8b3707bac2a7655ddaf4d1

Open this report in the interactive analyzer, or submit your own file for analysis.