Malicious PDF — malware analysis report

Static analysis result for SHA-256 dce378dd12c1f462…

MALICIOUS

PDF

82.5 KB Created: 2021-03-14 16:25:50 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7aff3bb203cdc3938d3b71f752581309 SHA-1: b0bf3e74100f332e5e51b867384e2b304c9585dc SHA-256: dce378dd12c1f462233d13a671edea83ae67411f84ca975aa17cdcc237dc7be1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains an embedded URI that leads to a URL suggestive of a phishing lure, disguised as a movie list. ClamAV and an ML classifier flagged this PDF as malicious, indicating it likely serves as a phishing or malware distribution vector. The presence of external URIs and the overall detection by multiple engines strongly suggest a malicious intent to trick users into downloading further content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pelibifir.ru/award?keyword=2020+all+hollywood+movies+list+pdf
    • http://wuzagabi.22web.org/11800706122.pdf
    • https://cdn.sqhk.co/jowapezo/eificgg/gladiator_rising_2.pdf
    • https://cdn-cms.f-static.net/uploads/4426688/normal_60359de41a6f3.pdf
    • https://cdn-cms.f-static.net/uploads/4481515/normal_60240da792503.pdf
    • https://cdn.sqhk.co/mapetidul/cghcfd7/2643226066.pdf
    • https://kukapurabu.weebly.com/uploads/1/3/4/3/134375365/fewila-xopunujoxo.pdf
    • http://radusama.22web.org/alphabet_colouring_pages.pdf
    • https://cdn-cms.f-static.net/uploads/4382638/normal_604cec7ee5ac9.pdf
    • https://likizosuzi.weebly.com/uploads/1/3/4/8/134886942/4973686.pdf
    • http://tiwigibafofovit.iblogger.org/texas_instruments_ti-30x_iis_scientific_calculator_red.pdf
    • https://cdn-cms.f-static.net/uploads/4387709/normal_602fb6a351ce4.pdf
    • https://cdn.sqhk.co/xogovofofi/jgjalij/8924913156.pdf
    • https://cdn-cms.f-static.net/uploads/4393220/normal_6017a7cd756e1.pdf
    • https://tilijaxak.weebly.com/uploads/1/3/1/3/131381787/rofavafakedupegi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0f8fedcd-12c0-4678-86f8-e2bff7269121.filesusr.com/ugd/70e7d4_41c2c9393efa47179cca40afd0d9cbee.pdf?index=true
    • https://58eafb2e-ea74-4523-a1b2-d2e0fe9bfe54.filesusr.com/ugd/466fa0_efcfc53fd0324ab7bbbff9ce41d53d88.pdf?index=true
    • http://kuderegeguf.epizy.com/adestramento_de_gatos.pdf
    • https://5b2b9875-3923-4577-9ef6-0527498c95e7.filesusr.com/ugd/4e6dd5_8160945a4c1a4d92852fcebb482cc9e2.pdf?index=true
    • https://6cbe2f5c-748b-4bc6-b691-25a968a47885.filesusr.com/ugd/d6b5da_29789d1001f74e439a1ccb0a7d8c1363.pdf?index=true
    • https://s3.amazonaws.com/mejados/95377528090.pdf
    • https://s3.amazonaws.com/gumegulaxi/gogamobalogot.pdf
    • https://6f8cb219-4830-455d-9ced-b55e65700e85.filesusr.com/ugd/fd30ac_9aa6e431bfbb434e84d8bdbb6c80e7ee.pdf?index=true
    • https://s3.amazonaws.com/wuxupewu/data_structures_and_algorithms_tutorialspoint.pdf
    • http://tudixavanalomig.rf.gd/charger_escape_part_2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001042e.bin
7a36b6a6738b32081a71e59090974898a2aef2aad282d1e577e68b95b4288a6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1042E 5620 bytes
font_01_sfnt_off00011740.bin
511e4a53d07df4523b1019dc93e84db6ede2d1eeb7f71b3c0b71f549137676d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11740 10976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.