Malicious PDF — malware analysis report

Static analysis result for SHA-256 d598520442ebc3f5…

MALICIOUS

PDF

77.2 KB Created: 2021-03-29 07:15:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 594325944b0bff832242849774ff4e45 SHA-1: 7bcad178a90941c31539e9aabb73ce867e776468 SHA-256: d598520442ebc3f583f4a2cc042f3c53f696fc346dd0e84ac61912157680dc92
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically identified as a phishing trojan. It contains an embedded URL that directs users to a domain seemingly related to the document's purported content, likely to facilitate a phishing or malware distribution attempt. No scripts were extracted, but the presence of an external URI and the ML/ClamAV detections strongly indicate a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/award?keyword=australian+calorie+counter+chart+pdf
    • http://sagokorize.22web.org/wuravogotufuvenawamumimux.pdf
    • http://goproits.com/migozxsa2n.pdf
    • http://pixenevalir.22web.org/sufatofamomepu.pdf
    • http://mkuu.club/wejusazumidumogagetujanhlb1e.pdf
    • https://cdn-cms.f-static.net/uploads/4379964/normal_6042fdfb000a7.pdf
    • http://gravkamen.ru/zavumaxezekezim2grsn.pdf
    • http://berozava.iblogger.org/bnm_ccris_guidelines.pdf
    • https://cdn-cms.f-static.net/uploads/4375077/normal_6035c791bd942.pdf
    • https://cdn-cms.f-static.net/uploads/4388293/normal_5fd12f6d9bacb.pdf
    • https://cdn-cms.f-static.net/uploads/4469852/normal_5fea2af737aad.pdf
    • https://static.s123-cdn-static.com/uploads/4366406/normal_5fca7ad683f60.pdf
    • https://cdn-cms.f-static.net/uploads/4487663/normal_5fdb13a65a6a9.pdf
    • https://static.s123-cdn-static.com/uploads/4417306/normal_5fe3b60a78d43.pdf
    • https://cdn-cms.f-static.net/uploads/4366362/normal_602ea2db626c4.pdf
    • http://beautysss.site/74279115567o7cjv.pdf
    • https://static.s123-cdn-static.com/uploads/4417670/normal_5fef3ddf7221e.pdf
    • https://cdn-cms.f-static.net/uploads/4424645/normal_601f2e6a04efa.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://bavidoripo.epizy.com/tijikixukegawimit.pdf
    • https://313cea95-bd78-4864-9d9d-3b26c3bbe0bd.filesusr.com/ugd/2142af_0dcd1c3298b24c7b9cdf65015e7c4878.pdf?index=true
    • http://zaxigadanu.rf.gd/alternator_troubleshooting_guide.pdf
    • http://murobalebijuge.rf.gd/chinese_dragon_mask_templates.pdf
    • https://e31b828f-dd5d-4b35-abba-5777d5fc2ed6.filesusr.com/ugd/56a8cc_6e2eaf018a7c48318cc3246f11058be3.pdf?index=true
    • https://d992f69e-bc5b-430a-92d7-abfd66d0380b.filesusr.com/ugd/6f7357_5e3d617db26c4597abb180a2cb612f15.pdf?index=true
    • https://c78267de-509c-4cb0-9394-6b21b7876e04.filesusr.com/ugd/290ce3_532d444cf85d40c496ade03b7d48ed57.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eed4.bin
7de4be2ff70cad115cab149e766c8fb25e93e7076ed9c8e02723ba5cc3e6f557		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEED4 5232 bytes
font_01_sfnt_off00010099.bin
89a8f563522150cb12c6c739f99d26b011a1b8a5688a08bd7dd0ae97963167c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10099 11376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.