Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd09db37a563d91b…

MALICIOUS

PDF

91.5 KB Created: 2021-03-17 00:23:54 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 09d88c7882f1d827c3b5524035093a4c SHA-1: ea11589522338aeb3cc9758b31cf6bebbaf7b30f SHA-256: dd09db37a563d91bd40771f66065bb241e58b00eeecb1ffd4f92ef65c166be9d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that masquerades as a game guide, likely to trick users into clicking it. ClamAV detection and ML classification strongly indicate malicious intent, classifying it as a phishing trojan. The presence of embedded URLs and the overall structure suggest it's designed to lead users to a malicious site, potentially for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=monster+hunter+world+greatsword+progression+guide
    • https://cdn-cms.f-static.net/uploads/4421476/normal_604165a50ef5a.pdf
    • https://static.s123-cdn-static.com/uploads/4451210/normal_5fddd28dbe8ce.pdf
    • http://luminar3-download.xyz/durulasose1ymk.pdf
    • https://cdn-cms.f-static.net/uploads/4387054/normal_602479244b43d.pdf
    • https://cdn-cms.f-static.net/uploads/4462345/normal_600ced9872e14.pdf
    • http://gtmedis.com/1393926914358l17.pdf
    • http://nimojojisox.22web.org/90043649141.pdf
    • https://cdn-cms.f-static.net/uploads/4372355/normal_601a05c8f3ce2.pdf
    • https://static.s123-cdn-static.com/uploads/4471690/normal_5fdd257831b64.pdf
    • http://barisetufor.66ghz.com/venus_in_transit_reading_answer.pdf
    • https://static.s123-cdn-static.com/uploads/4408174/normal_5fc82f541b381.pdf
    • http://dvigatel.guru/mopezivobixanowowagudakut9j160.pdf
    • http://veritebadisifif.iblogger.org/jeep_wrangler_auto_to_manual_transmission_swap.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://kibozeriso.epizy.com/jasezogefagoledi.pdf
    • https://uploads.strikinglycdn.com/files/c2b6861c-769b-4282-b756-774bdf00dfcf/jolesidesonet.pdf
    • http://xofuzugavup.epizy.com/platform_movie_ajay_devgan.pdf
    • https://uploads.strikinglycdn.com/files/76f7fc6d-6e03-4fb4-9b71-a1bea3c18ce3/38126972328.pdf
    • https://uploads.strikinglycdn.com/files/24def4d0-c77f-46de-b6e1-a90bdd77bd62/52846409676.pdf
    • http://woxesuguve.epizy.com/darrieus_vertical_axis_wind_turbine.pdf
    • https://uploads.strikinglycdn.com/files/b5874059-dd6b-4fb6-8dba-6c6634355ca9/vedozifuzoxutijokidarob.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010131.bin
9b63f1ce1772ad4203f8c84df278eb8e82495dab8c489dcd4c12e73e20197776		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10131 4908 bytes
font_01_sfnt_off00011256.bin
ec22791615b7cb5c8815a2c39210676a10eb03f1758248c1aa220bed25d3e999		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11256 5316 bytes
font_02_sfnt_off00012480.bin
26aeb520894f289dd4586f951ca021d5ed74282a086e85cdaa0e3d24a0b01539		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12480 11176 bytes
font_03_sfnt_off00014ad3.bin
ea75db71c9df7250347a03039f742fcd189f5fc3f08964e696816fa8b5227073		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14AD3 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.