Malicious PDF — malware analysis report

Static analysis result for SHA-256 06fe3f7ac0a667f6…

MALICIOUS

PDF

65.1 KB Created: 2021-05-22 17:36:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bee7c109654ad6c46dda60b4c625d163 SHA-1: 6025a98da7c60e946327bb7afe2413115ccab0d3 SHA-256: 06fe3f7ac0a667f615004ce49f834488d4347e2e943d5ac88c39dc909a51718e
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains heuristics indicating it is malicious and a phishing attempt, with one rule specifically flagging an embedded URI pointing to an IP address. The ML classifier and ClamAV detection further support its malicious nature. The document body, though heavily obfuscated, contains references to 'Cooler master devastator 3 plus drivers' and 'wkhtmltopdf', suggesting a lure for driver downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8278

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://acgroupenterprise.com/userfiles/file/16128987539.pdf
    • http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/160802cf2e751c---jexivozivodol.pdf
    • https://3dreamstudios.com/wp-content/plugins/super-forms/uploads/php/files/a7ea093bfc981c6f15d0d30d085fe85b/lilipo.pdf
    • http://africansafaris-spain.com/FCKeditor/editor/filemanager/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%252Ffile/8356466169.pdf
    • https://terryhaas.com/wp-content/plugins/super-forms/uploads/php/files/6c8188ee44bceed9527f71e24460c68d/vuzodupufuruxuxomivenoni.pdf
    • https://aimara-bg.com/userfiles/file/49517267490.pdf
    • https://www.okcfarmersmarket.com/wp-content/plugins/super-forms/uploads/php/files/7d1b0d4317eab537eb30c9b4b8147102/wojawediruforagixejik.pdf
    • http://104.156.58.56/~web2inbox/wp-content/plugins/formcraft/file-upload/server/content/files/16090c427b401a---nobuxip.pdf
    • https://abeess.com/userfiles/file/77762399859.pdf
    • https://hzautomatisering.nl/userfiles/file/50097793283.pdf
    • https://hpx.com.ua/wp-content/plugins/super-forms/uploads/php/files/de124ebb255dbc597567c6fe590590db/77207241995.pdf
    • http://www.tobywells.org/media/fckdir/file/lofaf.pdf
    • https://readxyz.com/wp-content/plugins/super-forms/uploads/php/files/514ce260e53d3fa20836b36a843c130a/13161703560.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/A3Ryygt5BCM/uplcv?utm_term=cooler+master+devastator+3+plus+drivers
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d7ec.bin
b01956fe47ee2cfe775ad4ebf3aeebc661fef8ba99b582fb281e354b676a428b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD7EC 5236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.