Malicious PDF — malware analysis report

Static analysis result for SHA-256 b465cc13bd310512…

MALICIOUS

PDF

100.2 KB Created: 2021-07-23 00:03:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: ee1d42b9702f3f6b6a6e5d4a049bcf08 SHA-1: 07dbdb42ddfe8640f36bea1f892022dba1789fc9 SHA-256: b465cc13bd310512affe391befea74a77af3c1eb8182aa9d6e12111e429e47f6
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier indicated a high probability of maliciousness. An external URI pointing to 'cructi.ru' was extracted, which is likely part of a phishing or malware distribution scheme. No scripts were extracted, but the presence of a malicious URL suggests an attempt to redirect the user to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/square?utm_term=a+shift+in+the+demand+curve+is+caused+by
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f88693ae154a16ba90e9f3/1626900115680/fluency_made_easy_book_free_download.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f978908c7b33121d01fb71/1626962064678/74008472296.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f5009881f38b20589ac37c/1626669208466/59880728398.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f8d35724c5f82eff4da4d5/1626919767388/what_can_i_feed_a_bee.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f5821b860d895b4842273d/1626702363461/gross_sexual_imposition.pdf
    • https://static1.squarespace.com/static/60aac4e0d5abe22cec5c4b22/t/60f3c12780d83038fa86f47b/1626587431666/what_does_the_graph_of_acceleration_vs_time_look_like_for_something_going_a_constant_velocity.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60f52ef826c2747482f5f684/1626681080494/zesonenune.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60edacb5881afe0f0ced44f5/1626188982040/density_based_traffic_light_control_system_project_report.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60f3160eebca9b5ae8e8f392/1626543630827/a_guide_to_physics_problems.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f14d2a6e3a8560b3d4117e/1626426666843/a_pinched_nerve_in_the_lower_back.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60ee76f4115d504d3a89cb57/1626240756749/cross_between_chihuahua_and_jack_russell.pdf
    • https://static1.squarespace.com/static/60aac4dd19f082755c4e5c69/t/60eda5ad8b6fd728761606ac/1626187181790/houses_for_sale_in_plumstead.pdf
    • https://static1.squarespace.com/static/60aac52a97a1d73ddacfe14c/t/60e87b09188f056babc67e4a/1625848585093/16921491943.pdf
    • https://static1.squarespace.com/static/60aac59fb7e9621e2f466549/t/60f17f3de013e242e717df3a/1626439485324/propranolol_10_mg_for_anxiety.pdf
    • https://static1.squarespace.com/static/60bf6cad3a95e91b59aa2418/t/60e8eeae8ce0e10532d05c61/1625878191159/marriage_certificate_template_word_free.pdf
    • https://static1.squarespace.com/static/60bf6c89a2b0b938881bcf91/t/60f7f03453df297156b71fad/1626861620203/zalisun.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012484.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12484 16792 bytes
font_01_sfnt_off00013c9b.bin
6ed1eea975c547f8fbe56a010bd7257e4d4c5154f2dc9dab3fec9fc8a6e8abfc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C9B 10976 bytes
font_02_sfnt_off000155f2.bin
1aca03b424a2dbdcbcd7ce9c8d95115afec0796ceae849655afa19ef3c855468		 pdf-font-stream PDF embedded font (sfnt) at offset 0x155F2 17372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.