Malicious PDF — malware analysis report

Static analysis result for SHA-256 dfed5501ed62b277…

MALICIOUS

PDF

82.2 KB Created: 2021-02-20 07:50:02 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-26
MD5: dfdcef41684c734736bdf9864d805895 SHA-1: 633c29b7d7dd84a5fb011d28d6fd8b83afd675bb SHA-256: dfed5501ed62b27796b03dfc1cb95e356a797248b5c21cf9bdc37479696bcf59
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document flagged by ClamAV as Pdf.Phishing.Trojan and a machine learning classifier. It contains an embedded URL pointing to a suspicious domain, likely intended to trick the user into visiting a phishing or malware distribution site. The document body, though heavily obfuscated, appears to contain references to 'Candida crusher diet' and 'wkhtmltopdf', suggesting a lure for potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://maypoin.ru/123?utm_term=candida+crusher+diet PDF link annotation
    • http://golomashvanna.xyz/kixotojojonokutus6k0up.pdfIn PDF document text
    • http://show-visitor.xyz/c_form_meaning_in_gstl0hcz.pdfIn PDF document text
    • http://gofipupeseg.22web.org/56603638707.pdfIn PDF document text
    • http://big-ita.space/interstitial_lung_disease_guideline3e15p.pdfIn PDF document text
    • http://hamlikjorettoop.ru/what_does_the_acronym_smart_stand_for_brainly9imb6.pdfIn PDF document text
    • http://hangookoil.ru/abacus_software_free_for_pce9fig.pdfIn PDF document text
    • http://hallop.xyz/grasshopper_sitting_on_a_sweet_potatp8th6.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/jewizopukuni/dozasijikovi.pdfIn PDF document text
    • http://nuzavaxevarap.epizy.com/95916034865.pdfIn PDF document text
    • http://xujekapowizi.epizy.com/vubedibelo.pdfIn PDF document text
    • http://wewepov.rf.gd/asvab_for_dummies_free.pdfIn PDF document text
    • http://rujipezoj.epizy.com/rowufexofuwazexiborosere.pdfIn PDF document text
    • https://s3.amazonaws.com/fadadedezeker/miwewu.pdfIn PDF document text
    • https://s3.amazonaws.com/lanaladu/zoriz.pdfIn PDF document text
    • http://rizaxofu.rf.gd/gorovizodoposovulep.pdfIn PDF document text
    • http://walinul.epizy.com/65709976371.pdfIn PDF document text
    • https://s3.amazonaws.com/tosevud/office_building_plans.pdfIn PDF document text
    • https://s3.amazonaws.com/kibavutibeved/negamekiz.pdfIn PDF document text
    • http://lefulevalo.epizy.com/piwifiviloz.pdfIn PDF document text
    • https://s3.amazonaws.com/tazibabebamep/businessman_video_songs_hd.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001083a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1083A 4900 bytes
SHA-256: 3c1e1992b759dd3930490765e15fa77be4c4c34f1512efe50b9ebe07f95b4905
font_01_sfnt_off000118d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x118D6 10032 bytes
SHA-256: 76e50cc29b9ba2dc2866b4ec745da73e0dbc18e76e9ed168a70b87dbad75e3de