Malicious PDF — malware analysis report

Static analysis result for SHA-256 82a78c514751fd68…

MALICIOUS

PDF

114.6 KB Created: 2021-03-15 00:14:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 07c52162347f383d26289885649cf930 SHA-1: 683fc9977573bbfb7c24bd5bad24fc7b8ac01da6 SHA-256: 82a78c514751fd682ed1005d80a2ade26ea669bbb2bb8d2f7dc3edddff7f0370
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URI pointing to 'dafemum.ru', which is likely a phishing or malware distribution site. While the document body is heavily obfuscated, the presence of external URIs and the overall detection suggest a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8768

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=biopsychosocial+spiritual+assessment+pdf
    • http://virona.org/macbeth_act_2_scene_4_analysisyiezc.pdf
    • https://cdn-cms.f-static.net/uploads/4382617/normal_60170ca5a4aa2.pdf
    • http://copyrightnotice-ig.com/bojupibcnem.pdf
    • http://gunofixe.medianewsonline.com/78294097893.pdf
    • http://netzamka.ru/vituwa7wjdh.pdf
    • https://cdn-cms.f-static.net/uploads/4477400/normal_601914b8af916.pdf
    • http://gaydating.world/32023481283aytuf.pdf
    • https://cdn-cms.f-static.net/uploads/4416928/normal_601d59f0f01aa.pdf
    • https://static.s123-cdn-static.com/uploads/4500189/normal_6008d6bcd6686.pdf
    • http://boketizabujig.scienceontheweb.net/lubatofasogozasinofi.pdf
    • https://static.s123-cdn-static.com/uploads/4498994/normal_5fcbcfa7bb51a.pdf
    • http://whysmall.space/88333195308cqi68.pdf
    • http://liwexun.mywebcommunity.org/chemistry_organic_compounds_list.pdf
    • https://static.s123-cdn-static.com/uploads/4418000/normal_5ffcaa3b2f54c.pdf
    • https://cdn-cms.f-static.net/uploads/4414360/normal_601e26710f6fb.pdf
    • https://static.s123-cdn-static.com/uploads/4475397/normal_5fe4e0a100c77.pdf
    • http://puzofogerexiwi.22web.org/tamilrockers_abcd_movie.pdf
    • http://sowipilarow.mygamesonline.org/kazuvafokaminat.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://ligekasuxube.onlinewebshop.net/bulleh_shah_biography.pdf
    • http://dakokaxawizepu.epizy.com/vevupenekofunem.pdf
    • http://kufekisawisewo.onlinewebshop.net/jumefuxukavinafaf.pdf
    • http://jumepenitujox.atwebpages.com/diy_kitchen_nook_ideas.pdf
    • http://wabinugo.epizy.com/zawiriw.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00019308.bin
e50207ac155edb75672d8fe02a480cd5605594ea7d74f9137838cf13e3803519		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19308 5544 bytes
font_01_sfnt_off0001a5c3.bin
da22b011a97dbfee5b75ef058766d978ed980b6e95956b6c03300bcc2299ffcb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A5C3 10928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.