Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4918b1fdd332a44…

MALICIOUS

PDF

80.4 KB Created: 2021-03-22 09:11:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3e7d05c5b2af47bc0db1f833ba47eea8 SHA-1: 60639afe04eb76f69e8cebb7e7e03795f0c49455 SHA-256: a4918b1fdd332a44aa9104fdf63566e2f8b2061552eab686929ea72b490d472c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The document body, though partially corrupted, contains text related to 'Lupercalia festival 2020' and the authoring application 'wkhtmltopdf', suggesting a lure to a specific event. The embedded URI points to 'dafemum.ru', which is likely part of the phishing or malware distribution infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/wix?keyword=lupercalia+festival+2020
    • https://cdn-cms.f-static.net/uploads/4494877/normal_60196b224a849.pdf
    • https://cdn.sqhk.co/josipinu/chbGiiL/clash_royale_card_tier_list_june_2020.pdf
    • https://cdn-cms.f-static.net/uploads/4392463/normal_601c029695217.pdf
    • http://timurberg.ru/how_to_use_oven_for_baking_chickenod6ni.pdf
    • https://cdn.sqhk.co/buzivafulet/rgjaHIg/free_rap_ad_libs.pdf
    • https://cdn.sqhk.co/xanodujijefu/jbnJUih/xodirodaxaluwifoxoxajan.pdf
    • http://polypak.site/515111047742b1q1.pdf
    • https://cdn-cms.f-static.net/uploads/4389804/normal_5fe625de3c6e4.pdf
    • https://cdn-cms.f-static.net/uploads/4463532/normal_60334d08a8bdf.pdf
    • https://cdn.sqhk.co/mubogasaven/ihibhix/train_games_2017_train_driving_download.pdf
    • https://cdn-cms.f-static.net/uploads/4409998/normal_60525d28b939b.pdf
    • http://xumegexujarev.22web.org/brother_video_song.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://720c7b34-a033-4bf0-83ea-6be17de98aa2.filesusr.com/ugd/03ef8e_a3852d900d3a4ecd913759644a079e6d.pdf?index=true
    • http://rudavuzapu.rf.gd/integral_de_csc2_3x_dx.pdf
    • http://barirenuvekesup.epizy.com/bobol_wifi_wpa2_lewat_android.pdf
    • http://lozopavo.rf.gd/8837653166.pdf
    • https://d190c387-1498-4382-a59e-98d1a0a9794c.filesusr.com/ugd/a91264_eaf946c7871e4eb29e44ade8b38ab3f1.pdf?index=true
    • http://wigikel.rf.gd/marginal_costing_format.pdf
    • http://daxipazomodej.epizy.com/39708479997.pdf
    • https://ec5c17a1-061e-4a2c-a9e6-b3561ba71229.filesusr.com/ugd/299074_aa15d9881e524e698a06aec78df5215b.pdf?index=true
    • https://a53786a9-8e73-4b2e-9f05-d50c32e9ce72.filesusr.com/ugd/e5a943_129ab3b52c1c4de0a6cec6d8594422cf.pdf?index=true
    • http://vavilonogamet.epizy.com/chest_dips_form.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000faa9.bin
e3da68d9f9e135d0c0947aed638561837120811bafe09e59d6d0fa0132403e42		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAA9 5284 bytes
font_01_sfnt_off00010cbe.bin
c54cdb4c3b84854bdfecfe30d1931e7d1b3695329777b07c7267aa81e6f644ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CBE 12244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.