Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3805fa8bbb6df13…

MALICIOUS

PDF

77.3 KB Created: 2021-04-01 07:45:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c50f58ef388b225bf1e28e128dc1d5a SHA-1: 7ee8f906d00873e2eb91e0c5e71baaad357f1a35 SHA-256: c3805fa8bbb6df134f1b26231273ff42e62a152a3ec0df3f92d6565aefa74e4a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The presence of an external URI pointing to 'seumenha.ru' suggests a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a spearphishing attachment designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=cell+energy+crossword+answers
    • https://cdn.sqhk.co/ziveluki/FhcUjeq/four_magic_words_to_say_to_a_man.pdf
    • https://cdn.sqhk.co/tavaxiwugo/GphhUqh/losenasisemadi.pdf
    • http://goodsfor.life/download_olympus_viewer_3_for_maccqmnj.pdf
    • https://cdn.sqhk.co/dopuzodopuvu/Yheidjc/top_10_parkour_games_for_pc.pdf
    • http://ulekschool.online/5304479258f6nr2.pdf
    • http://ejinaya.com/33744133779l6mdg.pdf
    • http://lnstagram-office.com/jugegotuf90i9.pdf
    • https://cdn.sqhk.co/niripakexad/jiptvQk/transmission_repair_shops_in_las_vegas.pdf
    • http://wersita.fun/youth_voice_census_report_2019t0bjk.pdf
    • https://butevexonukuzi.weebly.com/uploads/1/3/2/6/132681970/9c612.pdf
    • https://gajodugibo.weebly.com/uploads/1/3/4/6/134635488/zefinutop.pdf
    • http://lopitimew.mygamesonline.org/jumabujazunive.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://8cff94d3-ecab-4ea5-ad27-d3e67d02fd32.filesusr.com/ugd/2813e2_83a206b34e934b9aa272d6bca64a9ec4.pdf?index=true
    • http://xotopusedewix.myartsonline.com/canada_immigration_points_calculator.pdf
    • http://tikomiwewo.atwebpages.com/how_to_find_z_score_without_table.pdf
    • http://vugugemo.atwebpages.com/ielts_speaking_actual_test.pdf
    • https://uploads.strikinglycdn.com/files/5273cdcb-f3e2-4f89-a2e1-348100d55945/70286800520.pdf
    • https://e192e36c-395d-4660-9df6-aa7aed00c30a.filesusr.com/ugd/3aee12_14f032fa3c5d47e89318fb8a1f0b3fdb.pdf?index=true
    • https://fa0867c9-8cf0-46f9-bfae-aad8e49c21f3.filesusr.com/ugd/cdba2c_7e722292ce9c427d93e7f0bf9bd2b647.pdf?index=true
    • https://uploads.strikinglycdn.com/files/385ca7b9-f122-44be-805f-9d5334944d6d/jijobukivoriridegobujepe.pdf
    • https://5de6e22f-064f-4859-b003-4eaa502c5056.filesusr.com/ugd/2609e6_46b33d6bf1104b50916949cc171e14c9.pdf?index=true
    • http://sopexalibip.onlinewebshop.net/fijotukagutugenapuro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f074.bin
45b070585d5fc19ef338fc12a99e3a6fb7a1579e8b1f800da66019c37e82a9ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF074 5208 bytes
font_01_sfnt_off0001024d.bin
11c53f58e4dcb4240c40f60c2c79a6920ffc512703f631ddf093bb73dba2aba9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1024D 10920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.