Malicious PDF — malware analysis report

Static analysis result for SHA-256 03de503a54e2c319…

MALICIOUS

PDF

122.8 KB Created: 2021-04-02 10:37:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 150fc945f2579c49ae328427c38fe6c6 SHA-1: 6d8f8cf2e727cb51e2f7b4b6e7d5c8c7d6d1478b SHA-256: 03de503a54e2c319cff811a4b70311e57a4adbbe6748ca3b568eaa8be5ef064c
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, specifically as a phishing trojan. It contains an embedded URI pointing to a suspicious domain, which is likely used to deliver a malicious payload or conduct phishing. The document body, though heavily obfuscated, contains keywords related to a movie script, suggesting a lure to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9689

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jumiwimov.ru/award?keyword=wonder+woman+2020+script+pdf
    • http://tells.fun/53231549010rho4g.pdf
    • http://katalog-siberian-force.online/mini_cooper_maintenance_scheduleo7gqh.pdf
    • http://ponaleke.iblogger.org/notujurufedetik.pdf
    • http://present-mag.ru/grand_prison_escape_3dhjym3.pdf
    • https://cdn.sqhk.co/dofexoxev/9higijf/83425474651.pdf
    • https://cdn.sqhk.co/buwoxatixun/zgiBigb/google_sheets_averageif_not_blank.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://majoxokusixapav.epizy.com/vehicle_crash_report_by_vin.pdf
    • https://uploads.strikinglycdn.com/files/60406f29-0589-47a3-811e-86a1dffe8e00/xefakisuvilixi.pdf
    • https://6129906d-bc82-46a7-99f5-71793a58af3c.filesusr.com/ugd/d162e3_b37c1328c00d4232b81d43035cda78d2.pdf?index=true
    • https://98771922-91e4-4673-aa0d-7794f4435593.filesusr.com/ugd/b6aaa0_e14ee55a154f4064acb757f59c79949b.pdf?index=true
    • https://s3.amazonaws.com/votuweroxigezog/summer_fishing_guide_stardew_valley.pdf
    • https://uploads.strikinglycdn.com/files/5046e79c-3aed-4085-95f1-7a1c0fb467da/what_is_the_theme_of_the_short_story_the_chrysanthemums.pdf
    • https://s3.amazonaws.com/satulibaren/minecraft_pc_cracked_launcher.pdf
    • https://s3.amazonaws.com/xoxaneral/40133433261.pdf
    • http://kediresij.epizy.com/steins_gate_ending_song_download.pdf
    • https://c6111751-42b6-464f-a8b1-832d492ff999.filesusr.com/ugd/3d0627_4936fc6bc6824be08081ef6479380c8a.pdf?index=true
    • https://s3.amazonaws.com/ganubatebedoxez/drop_test_report_format.pdf
    • https://uploads.strikinglycdn.com/files/2d78eb55-b00d-4e1e-93ae-998b9c03df5f/xepunumexavasavas.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b6ba.bin
64ab26fc28823ee3d32932a4a4713f2763136a5c428a04df6990f3182d481426		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B6BA 5648 bytes
font_01_sfnt_off0001c9fa.bin
55e56b8f83dedb19564b1b4d28424cc0436aa84cb20bddc3ed87e0164c8036ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C9FA 11284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.