Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4663fad6ebcbbc7…

MALICIOUS

PDF

82.3 KB Created: 2021-04-07 02:43:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4fa18abf858127dabed8fdaf4407687b SHA-1: 14990807f62825b83ea9e2d08c210fd770859d58 SHA-256: e4663fad6ebcbbc7e933c1017158adf50296e895dbbda7b34c7d0a5738d47a20
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing trojan. It contains an embedded URI pointing to 'dafemum.ru', which is likely a malicious domain used to deliver a payload. The document body, though heavily obfuscated, suggests a lure related to educational content, aligning with phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=class+11+english+hornbill+full+book+pdf
    • http://perevod24-card2card.site/advertising_creative_strategy_copy_and_design_4th_edition7p25a.pdf
    • http://afracheat6.xyz/wipeladobuvuzagawobudiu.pdf
    • http://kiluzilaw.sportsontheweb.net/quotes_from_the_bloody_chamber.pdf
    • http://wemuwetafivaxe.sportsontheweb.net/23155960873.pdf
    • http://merishwheelrecords.com/xatabigexuwarupapimsu3i.pdf
    • http://vknart.xyz/taligeze1r4si.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dogiwexor.myartsonline.com/ap_psychology_learning_test.pdf
    • https://s3.amazonaws.com/bogeguva/83931652117.pdf
    • https://uploads.strikinglycdn.com/files/c451e6a4-2d5a-4263-82be-3b1f524f2357/nanda_nursing_diagnosis_list_for_anxiety.pdf
    • http://tigagatu.atwebpages.com/how_to_reset_vicks_warm_mist_humidifier.pdf
    • https://6f12065f-c45d-410c-b048-6ec23fb2b810.filesusr.com/ugd/02ccf7_d2ddcc4b9a2643e08b0ef53a338f07d0.pdf?index=true
    • https://uploads.strikinglycdn.com/files/a3c4b660-e9ed-4f7b-bf00-acd51b2a51ea/libro_tratado_elemental_de_derecho_romano_eugene_petit.pdf
    • https://uploads.strikinglycdn.com/files/27c1d9ac-47d5-492b-bab2-a576f397578b/rojul.pdf
    • http://moxosutemow.onlinewebshop.net/67561629411.pdf
    • https://c18d9829-3add-4afa-bc87-35007fe3998a.filesusr.com/ugd/70c1ec_398c2cc670824c37abe3dae54f0ed0cf.pdf?index=true
    • http://fojosotum.myartsonline.com/63650531769.pdf
    • https://810dce77-56ab-4324-823a-3549757f4eab.filesusr.com/ugd/1fad07_0d38691c26904af1aa378bb3fa60555d.pdf?index=true
    • https://s3.amazonaws.com/kosamupim/despotar_raid_guide.pdf
    • https://a179b4bb-f9e1-4b0b-8685-f881d2afde68.filesusr.com/ugd/0fdb6d_4455e2d8374240cb90ebc8100da38c61.pdf?index=true
    • https://uploads.strikinglycdn.com/files/e4a6f06d-9395-41d2-a9fa-cb16434d9506/daremusotis.pdf
    • https://s3.amazonaws.com/daraniwekamidir/59016623745.pdf
    • https://s3.amazonaws.com/pibajuwi/what_are_the_healthiest_snacks_for_weight_loss.pdf
    • https://s3.amazonaws.com/pirofopafu/86369136187.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee24.bin
83f57ba20b2cd5c78521b5ab6d3f14573427289dd5235b59559e291ff3fc25a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE24 5464 bytes
font_01_sfnt_off000100ae.bin
f26489fde0150bc7e92f6cc227311e1ae64eb3ce868434fa2d854dbcc9349dbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100AE 10968 bytes
font_02_sfnt_off00012649.bin
6e3fbd491d8b71441998836ddca0d0c102716a221ea14f8143929167ad9a79b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12649 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.