Malicious PDF — malware analysis report

Static analysis result for SHA-256 835be3f44b22e8ae…

MALICIOUS

PDF

313.3 KB Created: 2021-03-17 04:42:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9689a983d22fc78855becb105f8b5c21 SHA-1: 7ed64da23a0412858f57481e555cfe63b7f8b9b4 SHA-256: 835be3f44b22e8aeddbd07d86d7b43567a7eceff04b34acb1f8140bd20e15d12
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ClamAV and an ML classifier. It contains an embedded URL that points to a suspicious domain, likely intended to host phishing content or a further payload. The document body, though heavily obfuscated, suggests a lure related to religious phrases, potentially to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9785

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vilenefex.ru/wix?keyword=dua+after+eating+duas.org
    • https://static.s123-cdn-static.com/uploads/4417119/normal_5ff78ffea41f8.pdf
    • http://zdorovie-vashe-vse.xyz/5335905451822cfx.pdf
    • http://begdas.fun/proctor_modificado_aashto_t_18010mqz.pdf
    • https://static.s123-cdn-static.com/uploads/4416504/normal_5ff6beaee9118.pdf
    • http://boomerangoo.site/14137113382mbnha.pdf
    • http://vienvozvrat.site/39314024811o3uaf.pdf
    • https://cdn-cms.f-static.net/uploads/4462056/normal_6044d8fb6feac.pdf
    • http://opensol.xyz/29334344545ng4x1.pdf
    • http://femalawiterig.iblogger.org/60677358408.pdf
    • http://jiwujat.iblogger.org/34412842097.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://44eeb0f0-4dc9-4d8b-b3fd-cc7ace98e90e.filesusr.com/ugd/a083a1_34566c6f2d1d4e48b54b86c2c1bad58d.pdf?index=true
    • https://80172413-d145-4b71-b7cf-4a007d76ad29.filesusr.com/ugd/cacfd7_81d90f43e204441781082f3d2b9f682c.pdf?index=true
    • https://451b78f8-089e-4d4d-bc4b-60abb621f7e6.filesusr.com/ugd/7ef0dc_6ade098b1f404740870e715d734dfc92.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3b2ee363-9cd2-4834-864f-b8d93e5184fc/tavawogi.pdf
    • https://s3.amazonaws.com/mubefula/27602363437.pdf
    • https://s3.amazonaws.com/sefipa/difebutazi.pdf
    • https://s3.amazonaws.com/gofilafixu/acoustic_guitar_chords_lessons.pdf
    • http://pelubameta.epizy.com/danoxugovopekukij.pdf
    • https://s3.amazonaws.com/kosipefojaw/gridinsoft_anti-_malware_portable.pdf
    • https://s3.amazonaws.com/juzewojavomofew/personal_training_programs_template.pdf
    • https://uploads.strikinglycdn.com/files/0bf736dd-e87d-4428-9b09-5758f9ab3d42/jepopo.pdf
    • https://uploads.strikinglycdn.com/files/b213b0b5-c9aa-49ea-9a05-97ac898eff11/19992218658.pdf
    • http://winulinimax.rf.gd/savomixexaxuzaso.pdf
    • https://uploads.strikinglycdn.com/files/63cd438c-c47e-4845-a8e7-d4ccd1a62a58/depuso.pdf
    • https://6c8ebe11-725c-420b-823a-68bc39d02ad2.filesusr.com/ugd/3e87bf_fdb9993082904576b9fa15b142d7bd98.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e6d7978a-61e0-493e-9cd6-5b4e4fb496d8/frases_del_libro_amante_japones.pdf
    • https://0df6220b-9630-4647-aab6-0d9db69b9d59.filesusr.com/ugd/8b97dd_25f261f7502f4003834afa80cc800f7a.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000497e8.bin
881cce368abbc5dbdca3374ab7b0a899276d20decc97ddaf11b213c7f89a5b53		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x497E8 35664 bytes
font_00_sfnt_off0004601d.bin
174e0d0c28171f52cfd6be50006bdd32d43ae01e6f994e8419c90cecbb002e40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4601D 5072 bytes
font_01_sfnt_off00047181.bin
687cc1be38d77515a99c7e33a14997598457c51296868b9bc2977b15ffc7336f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47181 11232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.