Malicious PDF — malware analysis report

Static analysis result for SHA-256 0931561b922bd2b0…

MALICIOUS

PDF

62.3 KB Created: 2021-04-28 16:11:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6c05b25bfd705e95a5ad0aa7a9b86272 SHA-1: 646e2ba5dabfca73e9830945285bc8a23d3aa06a SHA-256: 0931561b922bd2b0501f17c1b767ed4e52399beb03d5772566b49eb25cf81aef
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The embedded URL points to a PDF file hosted on a compromised website, suggesting a phishing or malware distribution attempt. No scripts were extracted, but the presence of multiple embedded URLs strongly suggests a social engineering tactic to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7822

Heuristics 3

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607de05f40765---76766099849.pdf
    • http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c7f97a73c9---47023152234.pdf
    • https://lakeshoresmilesdentistry.com/wp-content/plugins/super-forms/uploads/php/files/60sv9ru74efrlom7go28cuil71/46969976977.pdf
    • http://claudiodauelsberg.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608305eb3f085---tuxanekarafekemewafewajub.pdf
    • https://thejasmineway.net/wp-content/plugins/super-forms/uploads/php/files/rqne2h6ld0vosfgof0fbfakdrv/6287217912.pdf
    • https://cms.blauraum.com/wp-content/plugins/super-forms/uploads/php/files/30bb382fb5be94c7e231849df2344b85/vozananopagulovoxadew.pdf
    • http://www.stallionreadymix.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1607377c8b242b---vidugabomiteberegusat.pdf
    • https://gservicepz.com/wp-content/plugins/super-forms/uploads/php/files/3c0c0997989f598073fbb8df4eea06f3/jixaw.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088c00da808a---bolexofaluzowala.pdf
    • https://yuktiedu.com/wp-content/plugins/super-forms/uploads/php/files/6b854c5385332c20f261fee6c6b694fc/posoda.pdf
    • https://www.penyembuhanholistikreiki.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d5082aed72---82011273961.pdf
    • https://westcoastmovers.ca/wp-content/plugins/super-forms/uploads/php/files/sfp0sfpvhn15aabis8hk5ou1o0/luvapegexajugixamejir.pdf
    • http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082465d3a504---wuzadulelizi.pdf
    • https://amesmedicalservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082c8d56727b---42407474194.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=ptu+marksheet+images
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d46d.bin
626cb2a11d6f688bab9b69d8552e203adc75267df12f135794eef4f6282f94c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD46D 5132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.