Malicious PDF — malware analysis report

Static analysis result for SHA-256 88de4ca3755c2eb6…

MALICIOUS

PDF

82.5 KB Created: 2021-04-04 21:12:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2f6c0a3723d6c82f680bfa2d8daddde7 SHA-1: 42c26fd68e3fa3acfa33e4a069d94358f143d0bb SHA-256: 88de4ca3755c2eb6938b344aa756c72e78286d4ce325d268a3deed635a18bb0d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'dafemum.ru', which is likely a phishing or malware distribution domain. Although the document body is heavily obfuscated, the presence of external links and the overall detection suggest a phishing or social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=dewalt+20v+max+xr+hammer+drill+torque
    • https://static.s123-cdn-static.com/uploads/4376629/normal_5fca85d703947.pdf
    • https://cdn.sqhk.co/vagekasip/9kjdgiM/disco_zoo_cheats.pdf
    • https://cdn.sqhk.co/mitukutowum/ijcjfhg/gmail_log_into_different_account.pdf
    • https://cdn-cms.f-static.net/uploads/4386848/normal_6039a8a8bda33.pdf
    • https://static.s123-cdn-static.com/uploads/4471703/normal_5ff006ea945f3.pdf
    • https://cdn.sqhk.co/gowamojon/ighadt3/nozuj.pdf
    • https://cdn-cms.f-static.net/uploads/4445570/normal_6020d2351697a.pdf
    • https://cdn.sqhk.co/xedufoga/kShhdie/22412751967.pdf
    • https://cdn.sqhk.co/nuzozuni/zgcgins/space_runaway_ideon_gundam.pdf
    • https://cdn-cms.f-static.net/uploads/4475863/normal_600ae99e6a766.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vibuvomomuv/44902167318.pdf
    • https://cc4f1b1a-08c7-467e-bb5a-e3073ad8caf1.filesusr.com/ugd/ffc175_b58fae1396b1435d850ca9ff5c8b3f89.pdf?index=true
    • https://uploads.strikinglycdn.com/files/c7d870c4-861f-47aa-83ec-a1823587f820/tunibuxavamuwugogaj.pdf
    • https://uploads.strikinglycdn.com/files/d1e1095c-da9f-49e5-a8a0-fed473568c24/nubobegiwokezarisemaji.pdf
    • https://s3.amazonaws.com/retisovojor/seth_godin_blog_the_practice.pdf
    • http://luxoxuwaf.epizy.com/nikanonezulodixe.pdf
    • https://uploads.strikinglycdn.com/files/ca984ac6-7bbc-496d-ac6e-a0a42124b1e1/daganu.pdf
    • https://uploads.strikinglycdn.com/files/41e1b8bc-00e8-48de-98ef-65e52f34ab2b/the_maze_runner_summary.pdf
    • https://uploads.strikinglycdn.com/files/4ec92088-720a-4d49-a95d-55977fb42d49/fulukoru.pdf
    • https://f6180879-d31b-499c-8e42-fead7842c491.filesusr.com/ugd/007227_9a4005e939314d5bb736675c56419d93.pdf?index=true
    • https://s3.amazonaws.com/xedewofuretujo/tisama.pdf
    • https://41be308f-8a64-4dec-8b30-4937605be974.filesusr.com/ugd/f042fe_cf34594efcea4f9bb98377140e7f5a18.pdf?index=true
    • https://3a5aa097-47f9-475f-9992-83bceef25cc3.filesusr.com/ugd/f55bec_674fd3210c4f4e378442cab298451480.pdf?index=true
    • http://wewodiluxi.rf.gd/evangelios_apocrifos_nag_hammadi.pdf
    • http://zinogagagobuv.epizy.com/nurse_anesthesia_books.pdf
    • https://ae0ecf71-49bb-4ac4-bba4-d0f2a20d1af9.filesusr.com/ugd/668a47_4f912f48323a447db8d3441c71c7fa82.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000100bb.bin
5706ce8d90acef37d54a0f92e52d1bed2239e0d8447a76277395f64ba22c8afc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100BB 5508 bytes
font_01_sfnt_off00011367.bin
e143a58832a7010a60056b7c218260fb53915d9293929b3c5b79875c197e9a0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11367 12052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.