Malicious PDF — malware analysis report

Static analysis result for SHA-256 9c6dbe20977c4587…

MALICIOUS

PDF

84.6 KB Created: 2021-03-23 09:52:33 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9303c5306e93a349d86bee409712bf9b SHA-1: 2c49686e0cf5b62489c8ef1243db7abdffeb63d8 SHA-256: 9c6dbe20977c45879214955b8a861f792ef66c4f33febac5e7656277500eb603
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'dugedepap.ru', which is likely a malicious domain used for phishing or distributing further malware. The document body, though heavily obfuscated, suggests a lure related to college applications, aligning with phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=college+application+form+template+pdf
    • http://meinekarten.best/diabetic_diet_in_pregnancytc3lq.pdf
    • https://cdn.sqhk.co/gotirawuz/TLxEChe/smash_it_badminton_app.pdf
    • https://static.s123-cdn-static.com/uploads/4407747/normal_5fce1301a4be9.pdf
    • https://cdn.sqhk.co/fudimesa/5icjdJd/95720989664.pdf
    • http://alsamcctv.com/how_to_connect_afterglow_ag9_headset_to_pcrh546.pdf
    • https://cdn.sqhk.co/gegefemorosu/frjbB1x/zufubatixopegoligosezawe.pdf
    • http://opt15.ru/dark_souls_2_dlc_boss_guidepz9mc.pdf
    • https://cdn-cms.f-static.net/uploads/4486033/normal_60372790ce78e.pdf
    • http://habercigo.com/how_to_make_effective_study_guidesopyun.pdf
    • https://cdn-cms.f-static.net/uploads/4410983/normal_6056d8d98a559.pdf
    • https://cdn.sqhk.co/geruvijiwiw/bDlx35t/vofofuponelikijeborizitu.pdf
    • https://cdn-cms.f-static.net/uploads/4366980/normal_600d8ec6d7df6.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/vogubivajavofu/lubig.pdf
    • https://e1eccfe9-8888-4f52-a155-e9c8e84e0752.filesusr.com/ugd/4fb05f_becfee696828434095685db95a8adc8d.pdf?index=true
    • https://6ec3981f-6443-463b-a164-91fc69f101d9.filesusr.com/ugd/7603ae_bdda839a4d56471caa59ff2f983b9112.pdf?index=true
    • https://661c91a2-68a2-4ae3-aaac-ef96b6cc7894.filesusr.com/ugd/b926a8_1fb4af79365746a4b5a4d89a9330ca7f.pdf?index=true
    • https://469ee322-798e-4c1d-9571-af6764901f97.filesusr.com/ugd/57169b_1e0d8dab341044dfb1338f5df9d363a0.pdf?index=true
    • https://03dfb0eb-7fe6-4188-ad87-ea2b88df7b19.filesusr.com/ugd/f967ac_15254e4c6bc74f66b427b1bd5165d4ce.pdf?index=true
    • https://s3.amazonaws.com/lorerexeg/nibivifilegovabu.pdf
    • https://d5e9a058-cbdc-4968-ba72-30cdbf1e36a3.filesusr.com/ugd/9cfd0a_b05c9084e603492f833cf3c4adcfd096.pdf?index=true
    • https://ad323f3e-245e-4e3c-8b16-de91fefec063.filesusr.com/ugd/5ea691_8b5c024d9b9b4193aaf1568af8ae9b93.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010f06.bin
f82a453f4d0dc7d3a1a28773810bfb19de77af02293449231fb2383a7ea5f5f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F06 5204 bytes
font_01_sfnt_off000120a5.bin
565c4ac9bbb4afe285aa6b7e85bbbe7a4deead9505b63b228b513a75f7160040		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120A5 10672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.