Malicious PDF — malware analysis report

Static analysis result for SHA-256 c308c9f0db2a118a…

MALICIOUS

PDF

78.0 KB Created: 2021-03-19 17:50:24 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1a3cd4346407ed3bde5788f034d04d1e SHA-1: 7b02433f5606f0596af6bae3d7bf608c31df7245 SHA-256: c308c9f0db2a118a2f45e717c1ed21d312514611683b7256841e34d8484b6813
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The embedded URL, https://midufefew.ru/award?keyword=pdf+arbatel+de+magia+veterum, is the primary indicator of compromise, likely serving as a lure or a redirect to a malicious site. The document body, though heavily obfuscated, suggests a phishing or scam attempt related to the title.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://midufefew.ru/award?keyword=pdf+arbatel+de+magia+veterum
    • https://kebafilononuxo.weebly.com/uploads/1/3/1/3/131378837/8531625.pdf
    • http://zevuzigix.iblogger.org/9393476593.pdf
    • http://meblik.su/17754080923k4rt3.pdf
    • http://pinudub.iblogger.org/new_york_city_criminal_justice_reform.pdf
    • http://balewezekowesab.iblogger.org/laser_a2_workbook_answers.pdf
    • https://wevuretadoza.weebly.com/uploads/1/3/5/3/135320639/4a407e0.pdf
    • https://xigujevaw.weebly.com/uploads/1/3/4/7/134701692/3958718.pdf
    • http://jakor.pro/15230237286zdogm.pdf
    • http://dakuximakux.22web.org/cisco_2960g_manual.pdf
    • https://bazeliwelari.weebly.com/uploads/1/3/1/8/131857734/sesabit.pdf
    • https://zaxefuki.weebly.com/uploads/1/3/5/2/135299090/1127869.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/2a9d1c1d-49cc-49b6-866b-337189c14176/11283374162.pdf
    • https://s3.amazonaws.com/jeduzizonox/fiwateli.pdf
    • https://s3.amazonaws.com/ponivotigegepub/longman_business_english_dictionary_free_download.pdf
    • http://wobemiko.epizy.com/centrifugal_force_experiment_report.pdf
    • http://veguxakafopuvix.epizy.com/difference_between_denotative_and_connotative_meaning.pdf
    • http://gewevamaki.epizy.com/62529542072.pdf
    • https://s3.amazonaws.com/fuzafuzeruwit/streaming_app_android_reddit.pdf
    • http://pavinudoj.epizy.com/adhyaksh_in_america_kannada_movie_songs.pdf
    • https://uploads.strikinglycdn.com/files/6e323989-d13d-42db-8ace-dd46aff00f08/relationship_between_old_testament_and_new_testament_bible.pdf
    • http://wafubarig.epizy.com/3505127453.pdf
    • http://mozizilusonasij.epizy.com/pdf_text_editor_online_tool_free.pdf
    • https://s3.amazonaws.com/wujanozo/ccna_composite_or_icnd1_and_icnd2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f284.bin
dfe76d6186e6a8932b0f4ec1e32faf120934f11131824e5c178a1db9f5284edd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF284 5248 bytes
font_01_sfnt_off00010454.bin
363f9108051f8c7490291630d1702afa9509a18baaf8533d3863a039c81546ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10454 11344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.