Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd384ea583c37489…

MALICIOUS

PDF

82.5 KB Created: 2021-04-14 15:47:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82025750c1ed78211d507b17f22adea8 SHA-1: d17d9d5441646eb2a31f91f164b3a6d407dd5926 SHA-256: fd384ea583c37489f8c325366d99ee4cd76801e1634efe95d8fc954bf38cc1e1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URL that impersonates an audio driver download, indicating a social engineering lure. While no scripts were explicitly extracted, the PDF structure and embedded URIs suggest it's designed to trick users into downloading and executing further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://resalured.ru/strik?utm_term=audio+driver+windows+7+32+bit+realtek
    • http://rukozhop-guide.com/blink_xt2_owners_manualt1x5o.pdf
    • https://cdn.sqhk.co/mujowofapubi/hhaYjd0/griswold_family_christmas.pdf
    • http://scotiaenlineape-personas.com/13411151331kzu7y.pdf
    • http://pusatokolerax.mywebcommunity.org/28598752714.pdf
    • https://cdn.sqhk.co/zubejavaxuvu/6gijgSb/wosezukiginevigagun.pdf
    • http://mabobuluka.iblogger.org/bncc_ensino_fundamental_anos_finais_em.pdf
    • http://kupuzuzopojesu.22web.org/python_range_step_include_end.pdf
    • https://cdn.sqhk.co/nezusoxe/SYNOupc/dreamt_about_my_ex_again.pdf
    • http://stalekost.site/what_was_mesopotamia_called_in_ancient_timesd9m0f.pdf
    • https://cdn.sqhk.co/sasibasodiwu/4nhfwYt/44343382856.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/679e1a1c-7254-415f-bfd5-902d6d488f56/23923402878.pdf
    • http://napubuxuwel.epizy.com/kuluweguwekikomom.pdf
    • http://rorokepu.atwebpages.com/in_christ_alone_lyrics_song_download.pdf
    • https://s3.amazonaws.com/megodipewukitoj/what_type_of_lawyer_gets_paid_the_most_in_south_africa.pdf
    • https://uploads.strikinglycdn.com/files/6a7aa942-1816-4a7d-bc5d-ee040eb3872f/85790350736.pdf
    • http://bexukavibume.myartsonline.com/43972634575.pdf
    • https://uploads.strikinglycdn.com/files/f0062888-2889-46a4-9a6e-d0e957bb008b/98372599504.pdf
    • https://uploads.strikinglycdn.com/files/54631cf1-5a02-4196-878a-9a3bd648e30c/david_eddings_pawn_of_prophecy_ebook.pdf
    • https://s3.amazonaws.com/wizedumi/adobe_reader_offline_installer_2019.pdf
    • http://filanak.rf.gd/3835965477.pdf
    • https://uploads.strikinglycdn.com/files/1c683de6-1024-46a7-b604-5e8cab4831dc/tramontina_pressure_cooker_instructions.pdf
    • http://bidusibebawuz.onlinewebshop.net/63536231854.pdf
    • http://josisuvo.epizy.com/69564800262.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010357.bin
6ceb5f20fb800a689248a1b79e7f99d9b66fd5ec88d449ba742403e9198a5b2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10357 5540 bytes
font_01_sfnt_off00011652.bin
60d4280bca0d1b2e0a2ef531bf829271ebd896494ba6806a705205d2f89aa567		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11652 11332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.