Malicious PDF — malware analysis report

Static analysis result for SHA-256 efad56503c8912eb…

MALICIOUS

PDF

85.6 KB Created: 2021-04-07 18:41:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d58c8599dc63ce0c5b74453b5bcee182 SHA-1: 2e36bea7ca5a1fc49b9e6df429f0cd6c33ef4210 SHA-256: efad56503c8912eb187142f3e9cb644b7dc040f6428c0ce0f7b8829f159e835f
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by a ML classifier and ClamAV, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to 'seumenha.ru', which is likely used for phishing or malware distribution. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the detection suggest the document is designed to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=lakshmi+ashtothram+in+telugu+naa+songs
    • http://lololoj.sportsontheweb.net/canonical_ensemble_derivation.pdf
    • https://rudusixan.weebly.com/uploads/1/3/0/7/130775573/gexoguguwabusel_minisosi_bikugimuje.pdf
    • https://xonesomo.weebly.com/uploads/1/3/0/7/130739362/242edd.pdf
    • https://static.s123-cdn-static.com/uploads/4448556/normal_5ff01b27431a5.pdf
    • https://static.s123-cdn-static.com/uploads/4446650/normal_6003faebcf790.pdf
    • https://monokuzofo.weebly.com/uploads/1/3/2/7/132741222/5480798.pdf
    • http://wuvovewapug.iblogger.org/28729669734.pdf
    • https://nonejazusedebe.weebly.com/uploads/1/3/6/0/136099570/kutegune.pdf
    • https://cdn-cms.f-static.net/uploads/4445334/normal_6068cf5b9cf62.pdf
    • https://tekofudarazot.weebly.com/uploads/1/3/1/3/131381521/c0791012988d02.pdf
    • https://cdn-cms.f-static.net/uploads/4469643/normal_600dde8cceca9.pdf
    • http://lipexifinidoda.scienceontheweb.net/albert_einstein_theory_of_relativity_paper.pdf
    • https://cdn-cms.f-static.net/uploads/4416656/normal_5fe7a1e581aaf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://fedorahosted.org/lohit
    • https://uploads.strikinglycdn.com/files/1e8d3cdc-9888-4200-ad43-07957fb9cc3a/rejimerabisaruro.pdf
    • https://uploads.strikinglycdn.com/files/bfaaebb2-9777-4f05-91d3-d85284b017e9/how_much_does_gorilla_trades_cost.pdf
    • https://uploads.strikinglycdn.com/files/d74cdf44-d157-494e-a12a-b884f311fe1c/why_is_my_wireless_keyboard_not_working_properly.pdf
    • https://uploads.strikinglycdn.com/files/2065428a-08ff-4a85-81f2-b6bb1b606d66/25125940972.pdf
    • https://uploads.strikinglycdn.com/files/f8539fe7-6aaf-4fa4-b50f-f51672e9df6c/how_to_score_points_in_crib.pdf
    • https://uploads.strikinglycdn.com/files/1eb7fa71-b391-43cc-8d32-e4ede6242eea/baldurs_gate_2_best_class_for_beginners.pdf
    • https://uploads.strikinglycdn.com/files/856b4bc0-7078-48c6-836e-dbc60fd618a0/sampieri_metodologia_dela_investigacion_cualitativa_y_cuantitativa.pdf
    • http://relavidapozo.epizy.com/kowikizi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc07.bin
85ac11b50d3b3054b5c2d7d1b24518d3137f3e0ffc03af7a4ca2d51ffba914c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC07 5104 bytes
font_01_sfnt_off0000ed3c.bin
c136d5cfb6bed0e0895a1e3a99a53d0c868d39fafaf2287ee020b6ea682aaf9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED3C 12576 bytes
font_02_sfnt_off00010f00.bin
9c428fbcc409d154804173c7fe9a6fc7b4dc566742e95a5d41d6ac98f20e7671		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F00 10280 bytes
font_03_sfnt_off00013284.bin
53215fa94485d380bcfc02fccd1a7a25057d6d657321956405aeddcb36a3b5ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13284 16224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.