Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea5ee433de7c2cf9…

MALICIOUS

PDF

82.1 KB Created: 2021-05-09 01:04:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f51b947e34171af3097e6b50d5467e71 SHA-1: 29c5599d03a5f92a16bc2feb8a38b1edd98c592c SHA-256: ea5ee433de7c2cf967f84b0aff139c5856700d924804ba3e588a8eaed4fed876
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, 'druttle.ru', which is likely used to host a malicious payload or redirect to a phishing page. The document body, though heavily obfuscated, suggests a lure related to 'Tork timer trippers'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://druttle.ru/strik?utm_term=tork+timer+trippers
    • https://static.s123-cdn-static.com/uploads/4423700/normal_5fc94847a2595.pdf
    • http://geguxejap.22web.org/tefiz.pdf
    • http://zijiwox.iblogger.org/53152919000.pdf
    • https://cdn-cms.f-static.net/uploads/4449172/normal_601be41e6c33b.pdf
    • http://kafalukuwemi.mygamesonline.org/6th_grade_math_decimals_worksheets.pdf
    • http://dakekunagefasak.sportsontheweb.net/xetewumajanawudeji.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9ec2b2b8-fb43-44fc-87a9-2169db33397b/harry_potter_patronus_quiz_pottermore_buzzfeed.pdf
    • https://uploads.strikinglycdn.com/files/4501a19f-619e-4be6-8a63-d771acdb3aeb/fojipojubodadegibex.pdf
    • http://milixugakobaf.rf.gd/africa_outline_map.pdf
    • https://uploads.strikinglycdn.com/files/4ba15939-a100-489a-a1f5-d79e5dc65dea/numatab.pdf
    • https://uploads.strikinglycdn.com/files/78963ec8-395f-4810-abb6-dea7b31e8f51/how_to_find_the_magnitude_of_a_net_force.pdf
    • https://uploads.strikinglycdn.com/files/24a64144-b9dc-415a-b3cc-5d27da853742/vajixogupuponepe.pdf
    • https://s3.amazonaws.com/muwemivumazulax/14944538127.pdf
    • https://s3.amazonaws.com/mijumomub/19717352878.pdf
    • https://uploads.strikinglycdn.com/files/7ed8bc0d-2d39-4300-89d3-16b02ee07d40/6476530147.pdf
    • https://uploads.strikinglycdn.com/files/72d00dab-66cc-4a66-bde2-0d26e7a01a96/mefifekejib.pdf
    • http://wulibazosuxib.onlinewebshop.net/capture_one_pro_tutorial.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e3e7.bin
d8ef148c594adba1946aa7d95f188f3f33f69c77bc22762a1a4a57bcfd89a796		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3E7 2960 bytes
font_01_sfnt_off0000ee69.bin
eae4190c34e980c79003401c823930029f157229796c9ec4b7f6232abd58efb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE69 4736 bytes
font_02_sfnt_off0000fe72.bin
c21c62b42d23b873fe4f71c6d515ac74d9ce3c69fdfc0b81549e2fde04bf134b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE72 11504 bytes
font_03_sfnt_off000125bb.bin
95f2a8319533f051e584a9e2aa38e8d42f7eb419abe795cf0dce2d6390e2c0a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125BB 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.