Malicious PDF — malware analysis report

Static analysis result for SHA-256 a20c3a9769f64030…

MALICIOUS

PDF

90.5 KB Created: 2021-03-22 16:24:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e34b530bd1b7333871eedd42130ef541 SHA-1: b76d1b3153671633f71054593bb88d36249c608f SHA-256: a20c3a9769f64030d95ea03143db222e035c0f56536ea7d46ac2551b3b66ad4a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that directs users to a site offering a 'Merge dragons fall event guide', a common lure for phishing or malware distribution. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest it's designed to redirect users to malicious content, likely for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/123?utm_term=merge+dragons+fall+event+guide
    • http://kpupnov.pro/51713725002x8fxu.pdf
    • http://zatutajijiti.getenjoyment.net/english_song_for_beginners_youtube.pdf
    • http://zoomita.fun/10897194404kr42j.pdf
    • http://zinulofuwobixum.iblogger.org/nuzikaf.pdf
    • https://tebifuwufarul.weebly.com/uploads/1/3/4/8/134886387/7276521.pdf
    • http://xasowokudat.medianewsonline.com/fefuv.pdf
    • http://mixutadumekaje.mypressonline.com/best_book_to_learn_python_coding.pdf
    • https://tejukikefuxod.weebly.com/uploads/1/3/4/7/134703803/fapaxatexul_rivoninitamix.pdf
    • https://fafenerukore.weebly.com/uploads/1/3/1/3/131398145/rutomisijo.pdf
    • http://puwonasomoso.22web.org/dowumobepatemen.pdf
    • https://static.s123-cdn-static.com/uploads/4481271/normal_5ff698a346a2b.pdf
    • http://wiregabjuk.fun/gekovea3tr6.pdf
    • https://cdn-cms.f-static.net/uploads/4408593/normal_6041b8843ed12.pdf
    • https://xexemisekugo.weebly.com/uploads/1/3/4/6/134679242/9704596.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://daxepusiz.rf.gd/91713401134.pdf
    • https://uploads.strikinglycdn.com/files/bc59a57e-4586-461a-8bc2-ee06c2b4a395/lg_mini_split_parts_canada.pdf
    • http://duxegejuw.atwebpages.com/asus_z97-a_enable_m.2.pdf
    • https://uploads.strikinglycdn.com/files/376f96a3-5ea1-4376-a415-8951a99af1f6/vixatovunepibilavur.pdf
    • http://bofiragomux.rf.gd/dedekurugujijagigokesowaj.pdf
    • https://uploads.strikinglycdn.com/files/516ae5b7-8c0c-41c1-8b65-b4d400ad9330/2298954292.pdf
    • http://puvuwanixos.rf.gd/39587307802.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001019b.bin
1f501627767a21e0eb5589aff480c4bf0463c4bb2101bd3a72dcd2a6541a5841		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1019B 5540 bytes
font_01_sfnt_off000114c7.bin
b2a0caa7b18a2496052fe08edfeac8b902317cdc68da4650220b55cbba2f4f9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114C7 5020 bytes
font_02_sfnt_off000125f6.bin
c4c72793b833834188d0392da97e05481a4dea4e76bc4d62f2b884a722cddb01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125F6 11336 bytes
font_03_sfnt_off00014c79.bin
1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C79 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.