Malicious PDF — malware analysis report

Static analysis result for SHA-256 da635fdd28dc9391…

MALICIOUS

PDF

148.6 KB Created: 2021-05-18 01:32:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-22
MD5: 33d602c606ba87376d7dbabc6e7422b2 SHA-1: 28c5770096563b9a779f8f1f6370b96bdca03d5b SHA-256: da635fdd28dc9391ff684de5d656cb937c0cb51eddfb736f16adf6fa1f94c6c5
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that leads to a domain associated with malicious activity, likely serving as a lure for users to download further malware. The presence of a 'download button' heuristic further supports the phishing pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6787

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mezovuduw.ru/strik?utm_term=black+panther+movie+download+in+tamil+dubbed+hd+720p PDF link annotation
    • https://diwijavel.weebly.com/uploads/1/3/4/6/134691177/ganisu_tixonupeximolu_rejuputotisuz_laxupov.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4391009/normal_5fcf98668b0ae.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4501214/normal_600f1fa82e7f0.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4480582/normal_5fcb70b4ac338.pdfIn PDF document text
    • https://mugijimefulex.weebly.com/uploads/1/3/1/6/131606494/6036454.pdfIn PDF document text
    • https://berisojelo.weebly.com/uploads/1/3/0/8/130874511/27bd5cffe.pdfIn PDF document text
    • https://totijavefukaja.weebly.com/uploads/1/3/4/7/134705726/tilemanikufi_feluzekoxura_mixaf_ravavejubav.pdfIn PDF document text
    • https://zuwiliwiwira.weebly.com/uploads/1/3/1/0/131071082/raxezigivobo.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4365536/normal_5ffdffb8d1723.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382770/normal_604e8f5bb6c14.pdfIn PDF document text
    • http://gigewaxupupixe.22web.org/64452480567.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://s3.amazonaws.com/retisovojor/33037787264.pdfIn PDF document text
    • http://govezijatin.rf.gd/how_to_descale_a_keurig_k400_series.pdfIn PDF document text
    • http://zemagarekerak.epizy.com/abaqus_simulation_software_free.pdfIn PDF document text
    • https://s3.amazonaws.com/likadojivivofu/endocrine_system_multiple_choice_questions_and_answers.pdfIn PDF document text
    • https://s3.amazonaws.com/bitajemisajoz/a_murder_is_announced_1985_cast.pdfIn PDF document text
    • https://s3.amazonaws.com/vajefam/rulubixosegaduketek.pdfIn PDF document text
    • https://s3.amazonaws.com/baxunaf/63677153427.pdfIn PDF document text
    • https://s3.amazonaws.com/pivetuzadujo/kupujamuvirotalanopex.pdfIn PDF document text
    • http://ligeziwofumupo.epizy.com/dataxofi.pdfIn PDF document text
    • https://s3.amazonaws.com/wezukep/april_may_calendar_2019.pdfIn PDF document text
    • https://s3.amazonaws.com/zonivezada/93768396274.pdfIn PDF document text
    • https://s3.amazonaws.com/megodipewukitoj/what_should_humidity_control_be_set_at.pdfIn PDF document text
    • https://s3.amazonaws.com/bezorito/guided_access_stuck_on_iphone_8.pdfIn PDF document text
    • https://s3.amazonaws.com/falevi/92851708461.pdfIn PDF document text
    • https://s3.amazonaws.com/jenagubadopi/dikupoveribitupokirujub.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • https://savannah.gnu.org/projects/freefont/In PDF document text
    • http://www.gnu.org/licenses/In PDF document text
    • http://www.gnu.org/copyleft/gpl.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNUIn PDF document text
    • http://www.gnu.org/copyleft/gpl.htmRegularIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00018183.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18183 7696 bytes
SHA-256: d57dce2757a77e73366127df4db565f2944a7243398d13dfa92f80e4e2780b8d
font_01_sfnt_off000195be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x195BE 5776 bytes
SHA-256: eb615c3bf074d35e3f23b29d9ae022551fdd2365072ec24f7b289ed1a17f74d0
font_02_sfnt_off0001a93d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A93D 7168 bytes
SHA-256: 672f570a782b9e20439b0f0046db1139cdc80e19c515daee7438b346ead9c554
font_03_sfnt_off0001be0a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1BE0A 3720 bytes
SHA-256: d0c9e33916e9e64e42e31bcf0d345f6c2fcd41735b1a34df0119bd0eb1094281
font_04_sfnt_off0001c966.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C966 3264 bytes
SHA-256: a1c9d367a6b48691f08a48ecb14646aeee528cb4ecfe3e5f583a9a3fe5cc9e8f
font_05_sfnt_off0001d68a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D68A 15084 bytes
SHA-256: aa3d87a7dd18045bd3abeec2a67e66f2a94a93e2a9484130e3639fd5424a2b09
font_06_sfnt_off0002053d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2053D 16440 bytes
SHA-256: f39c8bd5c1fb434d77eebc2a27255ac1f7a6c44285a314beeac0a71bd112cf7d
font_07_sfnt_off00021b86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21B86 4324 bytes
SHA-256: b50a2106bf82917db0cd3cf88f63c5e8cc3298b343ace5cffc591b35df33d24c
font_08_sfnt_off00022990.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x22990 6672 bytes
SHA-256: 15e5c2ea1add9086bbbbe1b2262a98a39744c29589d2b0715c518e98940f18ea

Open this report in the interactive analyzer, or submit your own file for analysis.