Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d376476b6c1c733…

MALICIOUS

PDF

181.8 KB Created: 2021-06-06 06:43:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 64c01f3172dc47b3105444016777416f SHA-1: b586a9769bb4e4281b9ae863b0f8bfe883decb96 SHA-256: 9d376476b6c1c733452a448b01d065db2d0a708077ce6ebbbf3f1976c36200ee
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is identified as malicious by ML classifiers and ClamAV, exhibiting characteristics of an advance-fee scam. The document body, though heavily corrupted, suggests a lure related to educational materials. The embedded URI `https://archism.ru/pbw?utm_term=exercices+de+maths+3eme+avec+corrig%25C3%25A9s+pdf` likely leads to a phishing page or further malicious content, aligning with the T1566.001 (Spearphishing Attachment) technique.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9940

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/pbw?utm_term=exercices+de+maths+3eme+avec+corrig%25C3%25A9s+pdf
    • https://cdn-cms.f-static.net/uploads/4488323/normal_6033ae46923ec.pdf
    • https://cdn-cms.f-static.net/uploads/4471085/normal_60244f5f7dbac.pdf
    • https://cdn-cms.f-static.net/uploads/4463262/normal_600a94f1161cb.pdf
    • https://cdn-cms.f-static.net/uploads/4489588/normal_606d009baf93b.pdf
    • https://cdn-cms.f-static.net/uploads/4413578/normal_6049bd3376868.pdf
    • https://zutiwijutorezaz.weebly.com/uploads/1/3/4/3/134354078/414853.pdf
    • https://zefowuji.weebly.com/uploads/1/3/4/0/134096403/fimavedifaraje-vegoma.pdf
    • https://kusudojisopev.weebly.com/uploads/1/3/4/7/134774064/zojufarixofalakil.pdf
    • https://sojurepew.weebly.com/uploads/1/3/5/9/135992925/xezovi_gofepep_jabazijuku.pdf
    • https://cdn-cms.f-static.net/uploads/4409997/normal_60418939947d4.pdf
    • https://dusuganot.weebly.com/uploads/1/3/4/3/134358603/livogepujaxapalupu.pdf
    • https://kufazijofiw.weebly.com/uploads/1/3/0/7/130776126/gejidur.pdf
    • https://cdn-cms.f-static.net/uploads/4421329/normal_60b844873da12.pdf
    • https://cdn-cms.f-static.net/uploads/4467926/normal_60386bb9f161f.pdf
    • https://favimorujupufu.weebly.com/uploads/1/3/2/7/132710565/gapobamoda.pdf
    • https://tajurasexir.weebly.com/uploads/1/3/1/6/131606020/xavegi-risatozifaf-gasigonuzixat-budogi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kakexigodelo.pbworks.com/f/can_you_see_someones_location_history_on_snapchat.pdf
    • http://zevatirupura.pbworks.com/w/file/fetch/144585969/lumakiwuguzesewosafi.pdf
    • https://uploads.strikinglycdn.com/files/91409cfd-cf35-47e7-8885-4332487e2ef0/95502869668.pdf
    • http://vogituvu.pbworks.com/f/ejercicios_de_caligrafia_cursiva_para_nios.pdf
    • https://uploads.strikinglycdn.com/files/331bb6f2-80d9-4649-a9b2-ff6938d82d3d/the_iliad_robert_fagles_ebook.pdf
    • https://uploads.strikinglycdn.com/files/1da14237-68e6-4868-b607-10fd936411b8/candidate_elimination_algorithm_python_code.pdf
    • http://pibadaro.pbworks.com/w/file/fetch/144582834/flip_professional_2.4.9.39_serial_number.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00026458.bin
bfa6b9f3517d1c2060c925a1f3120a2ce3b859c60a8a0efe37fbc9d99d59a5c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26458 5928 bytes
font_01_sfnt_off00027825.bin
d6eec6e4178a78baa465f7fd487fe538fd5b8fe23d8a76475af6161a4bc4d0c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27825 3464 bytes
font_02_sfnt_off0002862c.bin
2dcaf688012ed4b534f10673f09b5bcfe1da92c377c48fc50e669f29004db567		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2862C 12636 bytes
font_03_sfnt_off0002b030.bin
794f4efc395ea15b9b936896e41714d8572d91897b70cbf839412594a35a0823		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B030 16348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.