Malicious PDF — malware analysis report

Static analysis result for SHA-256 a76c75f58ecddceb…

MALICIOUS

PDF

236.4 KB Created: 2021-03-15 18:09:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 32a2dbf21eecd36e44ad81a09a0e1c90 SHA-1: 2b3bcfabb108ddf943dfa4daeca1d29598b74327 SHA-256: a76c75f58ecddcebe00cfa95112fa697b0c3285cfc50df42f465ee1b2e396deb
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier indicating maliciousness. The presence of an external URI pointing to 'dafemum.ru' suggests a phishing or malware distribution attempt. The document body, though partially corrupted, contains text that likely serves as a lure, as indicated by the 'SE_URGENCY_LURE' heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=when+islam+first+came+to+india
    • http://vugaganopofom.mypressonline.com/biblia_nuevo_testamento_en_griego.pdf
    • http://nasufulorejuwe.mywebcommunity.org/juxajetarosirogavet.pdf
    • http://nusezuretoti.scienceontheweb.net/lusunorisofimosi.pdf
    • http://kigowamukidiba.iblogger.org/lanyard_design_template_online.pdf
    • http://gekodejevotug.medianewsonline.com/wazixofobiwekodoxepepezi.pdf
    • https://worijuxadije.weebly.com/uploads/1/3/4/8/134863955/3094233.pdf
    • https://lixubirenolona.weebly.com/uploads/1/3/4/6/134669397/roxigodelegogi_safirojanafo_rulexujakelusa.pdf
    • http://nubigawe.22web.org/fomukalinafitujan.pdf
    • https://fimulumalopa.weebly.com/uploads/1/3/5/3/135326017/1690653.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/696ea77f-9a7d-4d5e-93d9-e3a88d740263/vudobilewezumivuxa.pdf
    • https://uploads.strikinglycdn.com/files/6ee258f1-a876-4581-9a9b-23e10312f293/64755410219.pdf
    • https://ee6bc897-aa08-459d-b6e6-b1b1d69fcba1.filesusr.com/ugd/7ba596_fca41014aec049bcb46a2a5d62bd4b9f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/b34c8035-4e19-402c-a912-ef6055efa53f/harry_potter_and_the_half_blood_prince_video_game_download.pdf
    • https://uploads.strikinglycdn.com/files/e87646c2-d3fe-4340-b18c-a074b40a19c1/motorcycle_diaries_full_movie_english_subtitles.pdf
    • http://roxadib.epizy.com/guideline_android_design.pdf
    • http://xogebaf.rf.gd/79115857709.pdf
    • http://zonisitis.rf.gd/armor_of_god_picture_free.pdf
    • https://f62823ea-e863-4eb7-bd7c-e3bac0139ff1.filesusr.com/ugd/8c639a_700176b2e11b437aac820b2ef1f5362f.pdf?index=true
    • https://uploads.strikinglycdn.com/files/0f590876-d81b-44ee-ad3a-974935221536/motorola_talkabout_radio_mh230r_troubleshooting.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00036a1f.bin
41e05c86ed175adcba53d7e01bb4596e0d7e97d0a1b4648ac38411f7f45730a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36A1F 5272 bytes
font_01_sfnt_off00037bee.bin
6fab6fab6713e88480ca1f561e51c41e8896341fa571dd5a46413d705f9c2d1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37BEE 11304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.