Malicious PDF — malware analysis report

Static analysis result for SHA-256 da0eca520863dc07…

MALICIOUS

PDF

76.3 KB Created: 2021-03-29 05:03:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 13daefc009215e04da3605f6031451ec SHA-1: 214b55019c41c2d8b506fb0fc653300ee6480855 SHA-256: da0eca520863dc0751411c9ca752a4cf52afc779febfa9a882ec938056b308fd
124 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for Pdf.Phishing.Trojan and an ML classifier indicating maliciousness. The PDF contains numerous embedded URLs, with a primary suspicious URL pointing to 'dugedepap.ru', suggesting a phishing or malware distribution attempt. The document body, though heavily obfuscated, contains metadata related to PDF creation and potentially keywords intended to deceive users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9133

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=achievers+magazine+english+pdf
    • https://cdn-cms.f-static.net/uploads/4381531/normal_602ff02d6f9f1.pdf
    • http://zatutajijiti.getenjoyment.net/livre_architecture_bioclimatique.pdf
    • http://sopugepibimel.mypressonline.com/86690090275.pdf
    • http://ginalupajeriw.scienceontheweb.net/south_african_history_download.pdf
    • https://cdn-cms.f-static.net/uploads/4476135/normal_602792f6ba1d5.pdf
    • https://static.s123-cdn-static.com/uploads/4407069/normal_5fe0ad9fde825.pdf
    • http://bumululoru.mywebcommunity.org/defensa_nacional_del_peru.pdf
    • http://ginixotojaru.medianewsonline.com/tamil_nadu_election_commission_voter_list.pdf
    • http://jedomagisuw.getenjoyment.net/18091660533.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/4b525969-e6f3-41b8-b9c2-d5c536c11c67/epson_stylus_nx230_wireless_setup_without_cd.pdf
    • http://mafonevaverazux.atwebpages.com/14967775997.pdf
    • https://ca6b24e6-01cd-4368-a310-1df05077a315.filesusr.com/ugd/11b39a_ca028bd9b63e432ab12a189176ad0e12.pdf?index=true
    • https://s3.amazonaws.com/kasuwevovog/afsoon_e_jaan_part_2_free.pdf
    • https://uploads.strikinglycdn.com/files/bedca3fa-47e9-47e0-b29e-b80ab67775b8/wiwidixetawegepopotes.pdf
    • http://sojufuka.atwebpages.com/backward_design_lesson_plan_sample.pdf
    • https://s3.amazonaws.com/xidazeze/85310849448.pdf
    • https://uploads.strikinglycdn.com/files/7c08e7a5-920f-4fa7-ba25-d51f07e8b090/premiere_pro_system_requirements_helpx.pdf
    • https://e0bfa911-60eb-4c53-bd8d-ceec25156dfb.filesusr.com/ugd/0a052f_4f1ffaa1701548a6bc24858ee1381447.pdf?index=true
    • https://s3.amazonaws.com/mikibetiv/gopro_hero_4_silver_price.pdf
    • https://uploads.strikinglycdn.com/files/d4195031-8dea-4675-9154-1b4b8239fa87/autocad_free_trial_expired.pdf
    • http://legokejapo.atwebpages.com/organic_chemistry_alkanes.pdf
    • https://e064a861-6c7b-46af-b67a-66be1f32d776.filesusr.com/ugd/ec3e4b_08302fa768254f90bc430a19f180328d.pdf?index=true
    • https://s3.amazonaws.com/jifedefujodu/dukobadadigatovabaradifa.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f96d.bin
a67afce6c9468e8cd90c60d97a0f7af49de1c991bcf40130cc06635cca99b5df		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF96D 5668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.