Malicious PDF — malware analysis report

Static analysis result for SHA-256 867e071f24f5e15e…

MALICIOUS

PDF

119.4 KB Created: 2021-04-01 19:27:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6a8f9932755bf71b58d8b68f9ff280f3 SHA-1: 85860ddfd97da7e74965fbee7bcc43c4814e7a77 SHA-256: 867e071f24f5e15e44d8e4e917b7fcc163b10da3077204e2bf79d0e2de475e43
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, with a critical heuristic firing for ClamAV detection. An external URI pointing to 'https://midufefew.ru/123?utm_term=archie+tarzy+music' was extracted, suggesting a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and the presence of embedded URLs indicate it's designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/123?utm_term=archie+tarzy+music
    • https://static.s123-cdn-static.com/uploads/4370319/normal_5ff918d76eccc.pdf
    • https://cdn-cms.f-static.net/uploads/4446930/normal_600e62ce54800.pdf
    • https://cdn-cms.f-static.net/uploads/4366014/normal_6015bd43e962a.pdf
    • https://cdn-cms.f-static.net/uploads/4393016/normal_5fd9c4c957a3c.pdf
    • https://static.s123-cdn-static.com/uploads/4482848/normal_6005774b5ec16.pdf
    • https://static.s123-cdn-static.com/uploads/4447258/normal_5fe5a5e08e96c.pdf
    • http://sehq.xyz/calculus_ab_worksheet_1_on_limitsghmxp.pdf
    • http://vugekowuzujed.scienceontheweb.net/farewell_my_lovely_film.pdf
    • https://cdn-cms.f-static.net/uploads/4447631/normal_600c51e93edc4.pdf
    • http://shop-onlain.fun/jobudabibowogufoferb9m91.pdf
    • https://cdn-cms.f-static.net/uploads/4390330/normal_6015d36f55331.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/tufitijinexu/how_many_calories_in_each_food.pdf
    • http://supuwevul.atwebpages.com/polaris_360_pool_cleaner_owners_manual.pdf
    • https://s3.amazonaws.com/pazerogasarinu/which_pressure_cooker_is_best_in_india.pdf
    • https://s3.amazonaws.com/ziwuvijevo/77237534031.pdf
    • https://s3.amazonaws.com/rolefosiju/11520831022.pdf
    • https://s3.amazonaws.com/leteraxewe/gapawoki.pdf
    • https://s3.amazonaws.com/xoferuzu/child_welfare_information_gateway_2015.pdf
    • https://s3.amazonaws.com/xumakomowi/ulster_girl_guides_lorne.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001473f.bin
f65d1ae6e5e5930e765bbb6ba6df62c64fd8b8089bf89c8352f945a24b30d386		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1473F 8324 bytes
font_01_sfnt_off000162f1.bin
e72f18394c4cf76bce8f9848a89c4534444dd6abd73996b100810252cfdc073d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x162F1 5148 bytes
font_02_sfnt_off0001744f.bin
d84d133f8be175c41a9a30ca74c194ff4552f1bd6589e6972d6457ca5359e694		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1744F 1872 bytes
font_03_sfnt_off00017d3e.bin
2883f96e92ab2f12cdcaf573b8aa83cbfcd849f60f357ccd37feb81b735258a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17D3E 16616 bytes
font_04_sfnt_off0001b00f.bin
bc6c42dfb6365b44170e8a0eafc9701fe406e598182aab5403e2b4a6208e9a56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B00F 16884 bytes
font_05_sfnt_off0001c7c5.bin
1648accd5638f26481c437d0e436fdfb03edab78dab75f4e73239278c8cddc19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C7C5 1736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.