Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2b5a2859f49a8dd…

MALICIOUS

PDF

80.8 KB Created: 2021-03-17 16:00:38 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7ac1e39d43c44a2c56c06b8e5d01ecaf SHA-1: 26f45d06b5da769e92367a7c1e88f0616ba5abb2 SHA-256: f2b5a2859f49a8dde7a0e53382255f741ff7bb33991c51c50e6537f8b477ae7a
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The file is identified as malicious by ML classifiers and ClamAV, with a specific detection name indicating it's a phishing trojan. The presence of a PDF_URI heuristic pointing to 'dugedepap.ru' and a 'SE_DOWNLOAD_BUTTON' heuristic suggests a phishing lure designed to trick users into downloading a malicious payload. The document body, though heavily obfuscated, contains metadata indicating it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dugedepap.ru/award?keyword=common+proper+abstract+and+collective+nouns+worksheet+pdf
    • https://cdn-cms.f-static.net/uploads/4460975/normal_60240ed777534.pdf
    • http://lg-copyrightforms.com/ahetuk_full_songx2i4g.pdf
    • http://nikaold.site/is_it_better_to_fast_or_eat_small_mealstv6n5.pdf
    • http://wrinklestiltskin.com/numberformat_two_decimal_places3bdpy.pdf
    • http://guginegafofa.iblogger.org/67407317663.pdf
    • https://cdn-cms.f-static.net/uploads/4458838/normal_5fd61a19480df.pdf
    • http://rezubodojel.medianewsonline.com/53945759502.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/e0c1aad0-5609-4481-96e9-43c815ef0e75/best_tensorflow_book.pdf
    • http://wikukodukoja.onlinewebshop.net/technology_acceptance_model_definition.pdf
    • https://uploads.strikinglycdn.com/files/d6e965d4-2950-4f93-986f-86218b055682/vewugekekipijep.pdf
    • http://zalowakudedakov.rf.gd/best_ebook_reader_for_reading.pdf
    • https://uploads.strikinglycdn.com/files/5ee75889-66b0-44a1-8311-4dc7b7fc9a1e/8140882281.pdf
    • https://s3.amazonaws.com/sumesawoxajew/81099158425.pdf
    • https://s3.amazonaws.com/wozoxub/champcash_apk_old_version.pdf
    • http://jusaxokipumata.rf.gd/colliers_international_agribusiness_research_and_forecast_report.pdf
    • https://s3.amazonaws.com/risalenefazozo/2015_ford_mustang_gt_premium_0-60.pdf
    • https://s3.amazonaws.com/jikopot/notable_horoscopes_bv_raman.pdf
    • https://uploads.strikinglycdn.com/files/020f6227-45ba-46e6-9b84-81d047e77a0e/55128820262.pdf
    • https://uploads.strikinglycdn.com/files/020bce61-1413-46dc-8d5c-4cc9f42e1c96/44037649785.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ff1c.bin
581b5113badd703541c5d1c686d751ce4ba5b75dd326b7dbf82eac4f353a7590		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF1C 5656 bytes
font_01_sfnt_off00011235.bin
4349aea0cf1123978ec26bdd3e0f772edf322064f9e468066eef6c4a668459cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11235 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.