Malicious PDF — malware analysis report

Static analysis result for SHA-256 e00d873c9f8920dc…

MALICIOUS

PDF

86.2 KB Created: 2021-03-09 18:41:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 97f1fdd9efa432e27e0a8d44382b0244 SHA-1: e60327a79d69ae9f109cc97f5ccc39bb25f26c04 SHA-256: e00d873c9f8920dccb9324542925eca7af4e0f778001fc131d2388f1829db324
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URL pointing to 'golowaki.ru', which is suspicious. The document body, though partially garbled, suggests a lure related to car jacks, aiming to trick the user into clicking the malicious link. No scripts were extracted, but the presence of external URIs and the ML detection strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/aws?utm_term=do+i+need+a+2+ton+or+3+ton+jack
    • http://varuzajuv.22web.org/information_system_audit_report_sample.pdf
    • http://palitra-cveta.ru/spirited_away_japanese_watch_onlinelqpez.pdf
    • http://myfavoritesun.xyz/standard_reduction_potential_table_webassignmhj40.pdf
    • https://static.s123-cdn-static.com/uploads/4454299/normal_5fc61045324fc.pdf
    • http://webmastervlad.ru/3674920301758h3o.pdf
    • https://static.s123-cdn-static.com/uploads/4384836/normal_5ffe6648aef90.pdf
    • https://cdn-cms.f-static.net/uploads/4427268/normal_603e8837c115e.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://b1e6e3cd-24a2-426a-8b7d-e8f4bd81915b.filesusr.com/ugd/83e584_f8380400f0e34dfc80d5c529a604b1d8.pdf?index=true
    • http://xifabemifuxiza.rf.gd/5168043562.pdf
    • https://c3438639-6a75-4920-aa4f-d1e0b619354f.filesusr.com/ugd/3be3a7_1384824bdc084336923f8fd98abc54d9.pdf?index=true
    • https://58552d80-c20c-4e4f-99b9-91bedbcc07a3.filesusr.com/ugd/c18496_11f8048b8a7c42cd8c36846bbd384210.pdf?index=true
    • https://5090c2af-253d-40c3-bfb7-942fc6db26b0.filesusr.com/ugd/0511f5_f00b0fc8d65540cc87b1b0cd9326f6b8.pdf?index=true
    • http://ridurosumebo.epizy.com/bluestacks_android_emulator_for_mac_os.pdf
    • https://s3.amazonaws.com/gurowozenupifi/kenaxudobunigitami.pdf
    • https://s3.amazonaws.com/sajatesawodiji/registration_page_template_bootstrap.pdf
    • http://mabalipa.epizy.com/buy_laminate_sheets_uk.pdf
    • http://palezepebarinot.rf.gd/me_earl_and_the_dying_girl_movie_summary.pdf
    • http://jitelujojutomu.rf.gd/marvel_contest_of_champions_mod_apk_blackmod.pdf
    • http://xanunomoz.rf.gd/bubble_answer_sheet_doc.pdf
    • https://s3.amazonaws.com/jivuxo/double_sided_tent_card_template_5305.pdf
    • https://s3.amazonaws.com/wovugi/amazon_prime_video_er_chrome.pdf
    • https://95049c82-e412-4913-a0b0-e03e83d5170a.filesusr.com/ugd/127d6e_6be035010fc3481fbe4377e9c8611b0e.pdf?index=true
    • http://lopoduki.rf.gd/39922309614.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fc03.bin
0936935ca0599c8109ab6fa26f4bfeb2d5dbab54f0250465dc90d85f372a7a7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC03 5160 bytes
font_01_sfnt_off00010db0.bin
1c3ed4a75743806485ca31b5d3c83c70082569435c8ec864285e465b26968549		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DB0 11476 bytes
font_02_sfnt_off000134af.bin
fcb05c91dafc68cac2a428615c019176456bd34f615c1415dec73d9b10191687		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134AF 16392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.