Malicious PDF — malware analysis report

Static analysis result for SHA-256 f363c22442dc71c9…

MALICIOUS

PDF

81.9 KB Created: 2021-03-15 03:56:11 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3583976b8fbce39bee5271ce2bb09dbf SHA-1: be5875ec81cbad1745274f6a8dae189f2d9b9380 SHA-256: f363c22442dc71c9c2486963e06f3ea3f0a61f45abcfe62bd561d1db24f2cd41
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged as malicious by ML classifiers and ClamAV, with a specific detection of 'Pdf.Phishing.Trojan'. An embedded URI points to a suspicious domain, 'jumiwimov.ru', which is likely used for phishing or malware distribution. The document body, though heavily obfuscated, contains text related to social media, suggesting a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/wix?keyword=how+to+check+someone%2527s+private+story+on+snapchat
    • https://cdn.sqhk.co/retuwami/giehahh/fan_the_game_mod_apk_2019.pdf
    • https://cdn.sqhk.co/zifalulog/4Diha35/suitable_chores_for_a_6_year_old_uk.pdf
    • https://cdn.sqhk.co/naveropifo/gOoj6YH/56741570355.pdf
    • http://geniputan.66ghz.com/xudimobawuberakovuji.pdf
    • https://wizudagusosok.weebly.com/uploads/1/3/5/3/135317744/8782181.pdf
    • https://puliwive.weebly.com/uploads/1/3/4/6/134660228/rilijazu.pdf
    • https://cdn.sqhk.co/reparepoki/YYDge5Z/56657623048.pdf
    • https://jubekufolofifi.weebly.com/uploads/1/3/4/5/134593927/pisomaxevitiwewi.pdf
    • https://jigupeditu.weebly.com/uploads/1/3/1/3/131380623/7931670.pdf
    • http://bigops.fun/41313469977vclti.pdf
    • http://sewonmedix.ru/organization_fact_sheet_examples8tz1.pdf
    • http://freefire-gifts.com/autocad_2010_32_bit_adlmint._dll_crack2ve2z.pdf
    • https://sexuviruzimi.weebly.com/uploads/1/3/2/8/132814305/c495148877bbb7.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.daltonmaag.com/
    • http://powajokex.rf.gd/ariens_24_snow_blower_oil_change.pdf
    • http://juligotor.rf.gd/35509438030.pdf
    • http://gibapomidumitar.rf.gd/74200330625.pdf
    • http://dekifovep.epizy.com/wow_classic_addons_mac.pdf
    • http://lutepebenunara.rf.gd/95522909207.pdf
    • http://segudufarus.epizy.com/andhra_pradesh_state_formation_date.pdf
    • https://5548a280-a194-4776-8019-0e256783c1fa.filesusr.com/ugd/f2c1dc_7a9e17a742ea40c49cadc1d890234f06.pdf?index=true
    • http://fazavoregotula.rf.gd/basic_bending_moment_and_shear_force_diagrams.pdf
    • http://dajizipazubeva.epizy.com/magazine_design_guide.pdf
    • https://22e365c6-0853-42e1-82f8-83473bf9c0bf.filesusr.com/ugd/217d68_47a62dafefb6467592bf98b59fcf1b1c.pdf?index=true
    • http://nuwikomoxiso.epizy.com/36696392763.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f59c.bin
9666263a1415322df3d2e3c2193223cde0f1f53b662489c7865e6ba86ac7de9f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF59C 5244 bytes
font_01_sfnt_off0001075c.bin
5871481fc653a8d1ab464817969f7ccc92cabbbdb4c4571eea649cc159131b65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1075C 10636 bytes
font_02_sfnt_off00012ba9.bin
d1f4a20f0e35a0564be54678b929bb8c711862c507f070c2b9a6abea8daf4378		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12BA9 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.